Re: Truer words have not been spoken
That depends who the attackers are. If you're dealing with regular internet hackers, that may be true. If you're high enough profile to get noticed by nation-state hackers though, then they'll already have their ways of getting into any major cloud service - by means of warrant, threats or hacking - and you can't trust any hardware you don't have physical control over.
Hackers crack your server's authentication. The NSA just strolls over to Microsoft and waves a 'give us your data, tell no-one or you go to jail' letter. Or the FSB might do likewise, and point out that there are billions of dollars to be made in Russia and a company that doesn't cooperate with investigations may not be able to operate in the country. You get the idea.
Identify your threats, choose appropriate countermeasures. Chances are your organisation isn't going to merit the directed attentions of any state intelligence agency, so for the most part you don't have to worry about them - just the standard barrage of opportunistic script kiddies, ransomware, DDoS extortion, hactivists, spammers and all our favourite internet ne’er-do-wells. In which case, Azure or Amazon or some lesser-known cloud may well be more secure than your own team of non-specialists.