Your misinterpretation of their comment is the source of your confusion: note that they said “a lot” and “more secure”, not perfect. There are many more breaches of on-premise systems but we don’t say that those are too risky to use — it all comes down to cost. One big advantage that cloud environments have is that you can assume everything is API-driven and there are off the shelf tools to look for common problems like the Capitol One WAF setup. You certainly can do that on-premise but you have more work to do and the bespoke nature of the environment makes misunderstandings easier.