(Usually) - Those cloud providers know what they're doing though and de-couple things as much as possible, reducing and entire system compromise. It's their bread and butter, I would much prefer them managing the systems than the HSE.
But they still make mistakes (ask me how I got into Google /rpcz pages by shodan dorking and slightly mangling an HTTP header...). And just a few of these mistakes strewn together can have a massive blast radius if exploited by a motivated entity.
That, and all the high security cloud hosting in the world will not help the most commonly exploited security issues: unpatched wordpress plugins, world readable storage buckets, poorly secured privileged accounts, ransomware, phishing... A shoddily managed on-prem enteprise IT infra moved into the cloud will be just this: a poorly managed AWS infra, just as exploitable as before, but now also 10x as expensive to run.
Sure, I don't disagree. But in many cases the value of the data lost even over a short period can dwarf the size of a ransom, as can losses from downtime before getting operations up and running again. Can you imagine if they managed to take down e.g. S3, even for a day? The incentive to pay would be high, which in turn increases its attractiveness as a target. Not saying they would pay of course.