I'm pretty sure many more codebases have been lost through failures to secure internal networks by corporate IT departments than through vulnerabilities in cloud hosting providers.
I think he is referring to many people failing to secure their networks and having code stolen. It can be just as insecure, if not worse than a cloud provider if done wrong.
Important storage can be done 'in the cloud', but you need to audit and verify the cloud vendor is providing the proper controls. Just like you need to do 'privately'.
For code projects that are between me and a couple of other devs, none of whom are infrastructure security experts, I trust a company like Github a lot more than one of us trying to hack something together on a server.
With the exception that if you have three guys hacking something together a dedicated server or a box off your cable modem, with git tunneled over ssh using keys and a proper firewall, you'd probably be miles ahead. That might take you an afternoon to set up with almost no experience.
Not to say that it couldn't be compromised, but your not a target like github might be. If you're working with an enterprise level project with more complex auth and access methods, more users, performance and scaling needs, you'd need a real security implementation.