Security needs to be in layers.

I recently responded to a query about security in the cloud and whether certain security-conscious apps should be deployed on an IaaS layer in East Africa.  Here is my response:

If an organization can afford and currently implements strong physical security, low-level network security (intrusion detection, stateful layer 3 firewall, etc...) and kernel-level OS security, and none of those functions come at the expense of high-level (OS and application) security, then you may well be better off with brick & mortar.

However, I doubt that any local group aside from national security bodies in Kenya and Rwanda have that capacity and the rest of the organizations will have better security from using a cloud-based infrastructure solution.

There is no way that low-level security is better at any bank or similar institution in East Africa than it is at Amazon Web Services.  

And as for high-level security (i.e. OS and application exploits), cloud providers do not purport to cover those things - it's up to the end-user to secure that level.  But, an organization that only has, let's say 2 or 3 security people, can encourage better security by leveraging a cloud infrastructure provider for protection against physical and low-level attack vectors and focusing on higher level attacks like operating system exploits and especially holes in custom-written applications.