Because you will inevitably have hundreds/thousands of dependencies, controlled by at least as many people, anyone of which could inject code to backdoor your server.
A supply chain attack will sooner or later be the cause of a major incident.
It's the same for any other language . With java with c++, dot net, PHP and even with Erlang. None of them force you to use governed central repositories. And that's a good thing.
The scale is on a different level however. Your average node project will have 10/100x as many dependencies compared to other languages. Too many to conceivably check. Also due to how dynamic the language is, I think it is way easier to hide something.
The V8 runtime itself is pretty secure. However every npm package has total access to your filesystem and network i/o.
This is by design, the author of node himself has apologized for it and admitted that nothing can be done now because it'd basically break the internet.
This means any package ( i.e. eslint), dependency, anything that has code from just one malicious contributor can grab away all your API keys, ssh keys(if you still use those), environment variables, crypto wallets of your users( this has actually happened a few times now at scale).
With something like aws-amplify you just go on their site and put your environment variables there, instead of keeping them on your own machine.
Now you don't have to worry about using sketchy docker images, or your junior devs using their work laptops on a malware infested gaming cafe while still running their localhost server.
Aws and gcp can afford to have way better internal security and regular pentesting of their containers and infrastructure, so now wrapping those protecting layers around node, express, etc... is their problem.
You just push your code the production or testing branch and they handle all the provisioning, builds and deployments in 3-5minutes.
The npm dependency issue is a serious concern, but I'm not convinced that gcp or aws would mitigate the issue. If the problem is unaudited code that could be potentially compromised, gcp and aws will run that compromised code without protest.
A supply chain attack will sooner or later be the cause of a major incident.