It's an overused and abused argument but it's not a null argument (e.g. just FUD). It has enough validity not to overcorrect the other way. As a general rule, organizations at least need to carefully consider the true cost commitments of providing even near-par level of security with their own internal resources as they could get 'out-of-the-box' from a cloud provider. It's easy for organizations to imagine they will, quite another for most to actually pull it off in an auditable fashion. The minute an org starts opening holes in their firewalls to accommodate remote access or using cloud-based tools for remote access, I start to get skeptical (e.g. how well is that network segregated, anyway?). The shear volume of internal process and policy dependencies that need to be managed and maintained to "do it right" is a supremely tough burden for SMBs, for instance.