Whilst it's true that Microsoft or any other public cloud provider spends a fortune on security, there is also the factor that Azure (or whatever cloud) also has a much bigger target on it than the average on-prem datacentre. Plus, it is publicly accessible by anyone who wants to set up an account, which greatly increases attack surface in it's own right. Is the extra money spent on security enough to counteract the greater risks public cloud is exposed to? That's a matter of opinion. Whilst on-prem might be vulnerable as well, many companies are relatively anonymous on-prem and aren't obvious targets for attackers. Plus, they can put extra layers of security round themselves to control who can connect etc. Finally, an attack against an on-prem datacentre ensures only one company is hit, whereas an attack on Azure ensures the impact is so much wider. Question is, how long till someone exploits an issue in Azure or any other public cloud? It seems an inevitability it will occur.