AWS's shared responsibility model is quite clear in stating that end users are ultimately the ones responsible for security and compliance. So your points are moot.
"Flexibility" in this case is so vague that it's meaningless. I mean, is there anything more flexible than owning the entire infrastructure and software stack you chose all by yourself?
That's not at all what the shared responsibility model means...You are responsible for your application's security, not of the underlying infrastructure. That's why it is shared...