1. Running a secure operation requires a lot of attention to administrative detail, which can be challenging for a small IT group. When you're putting out a dozen fires per day, it's easy to misconfigure a system or neglect a patch. There's less chance that that a large public cloud provider will overlook such fundamentals.
2. When it comes to the underlying infrastructure, cloud environments tend to offer a limited selection, which enforces simplicity.
3. In a public cloud environment, many customers' eyes are on the provider. When you run your own infrastructure, the only other eyes on your servers and applications are those of attackers--and you won't know what they've uncovered until it's too late.
4. Using a provider can free up both time and budget that can be applied elsewhere--such as in better development practices to head off code vulnerabilities before they bite you.