[q3k]

But they still make mistakes (ask me how I got into Google /rpcz pages by shodan dorking and slightly mangling an HTTP header...). And just a few of these mistakes strewn together can have a massive blast radius if exploited by a motivated entity.

That, and all the high security cloud hosting in the world will not help the most commonly exploited security issues: unpatched wordpress plugins, world readable storage buckets, poorly secured privileged accounts, ransomware, phishing... A shoddily managed on-prem enteprise IT infra moved into the cloud will be just this: a poorly managed AWS infra, just as exploitable as before, but now also 10x as expensive to run.