Discussing security policy post-OPM debacle in a setting to which I have access (sorry to be oblique), it was said by a CxO "We have to prepare for the day when no software we depend on is run on premises."
Well, for one thing, it removes physical access to machines from insiders on your end, and in many cases, also direct access to data, particularly in its bulk form. With conscious effort and the right resources, you might be able to come with better security controls than the large service providers, but right now, most organizations don't have much of an audit trail for locally run services. I'm not sure if moving data off premises actually results in a net loss of control over it. Note be cause the service providers are so good at security, but because various factors conspire to make almost everyone else so bad.