Cloud hosting is intrinsically less secure, since administration logins have to pass through an external, public, network (however well thought out the session initiation encryption may be) from an infrastructure that's outside of the cloud's security framework. There are often significant economies of scale to be gained, particularly for small and medium sized organizations that can't afford dedicated administration staff for tasks like patching, backup, and netflow monitoring. But paying a cloud provide for hosting administration denies the organization the economies of scale that would otherwise be gained for local administration and security, making any local security more expensive. If local security is weak, then the logins to administer cloud services are easily compromised from the client location, and the cloud security fails. This is how most cloud security failures occur. Two factor logins provide limited benefits, since a legitimate session from a compromised local machine can be hijacked.
Very large organizations that use public cloud are often wasting money and taking unnecessary risks.
Large organizations can gain most of scale benefits of cloud hardware and platform maintenance and add to that the benefit of protecting the organization with scale savings on very strong local security.