I'm really quite astounded that there haven't been more huge cloud hacks. I guess hypervisor authors and cloud providers have taken security seriously enough.
Probably the cloud providers don't make a lot of noise about incidents, they might even be paying off parties or providing forensic assistance on condition of NDA only. Certainly they don't seem to be publishing security advisories about vulnerabilities in their platfomrs. Looking at eg the multilayered breakins at pwn2own, these attacks should not be beyond the state of the art.
(This doesn't rule out paying a lot of attention to security, of course).
The existence of hypervisor rootkits and the vast scale of cloud provider operations argue for caution.
For example, a state-level actor can afford to train and place operatives into an AWS-scale organization with enough access to infiltrate and undermine the system.
We use bare metal hosts for the ZeroTier CAs. This is one reason, though cost/CPU is another. These machines are CPU-bound, spending most of their time signing network configs. CPU is way cheaper at OVH (bare metal) than anywhere else.
(This doesn't rule out paying a lot of attention to security, of course).