This SAAS bias is untenable. "Use a big target" they say. "Store them with a big company" they say. "Give your data to someone, let them worry about it" they say. Meanwhile, breach after breach tells us that regardless of security, the likelihood of successful attack comes closer and closer to 1 as the size and exposure increases.
It's likely that these services have already been zerodayed, and we're just waiting for the shell to drop on an upswing.
Take in mind the whole evaluation was from company perspective. What those services are solving is company employees slacking passwords around, sending those via emails and using generic passwords like 'CompanyName123' or 'CompanyName!!!'.
Personally I am also not going to use cloud based solution.
Yeah, no. I used to (in my old job) see the raw data. They're breaching crappy third rate sites regardless of your "size and exposure" metric. Huge volumes every day.
Breaking into fifty PHP forum sites running buggy old versions is easy. Figuring out how to get anything from (picking at random since I use pass personally) Lastpass is hard work, and you're more likely to get caught, not worth it.
It's likely that these services have already been zerodayed, and we're just waiting for the shell to drop on an upswing.