It isn’t.

Crickets.

OK, it can be but you have to be very detail oriented. A lot of the defaults you deal with when you set up your application in the cloud are decidedly insecure. The issue is whether your org is up to paying for in money and complication all of the things to make it secure. I hate to say it, but a lot aren’t. A lot were sold a bag of goods (I had a senior person tell me AWS has ‘thousands of PhDs watching our stuff’ [they don’t]) that didn’t quite match reality. I have seen cloud resources get locked by malware and data siphoned off that literally never happened when they were on premise. We were, just last week, taken down by an attack because no one thought to turn on the AWS WAF.

So the nuance is it can be, but if you go into it with an attitude of “*PHEW*, we don’t have to deal with all that pesky on prem firewall stuff anymore because the cloud has thousands of PhDs watching my network…” I promise you it will be open season on you.