A lot (some would say it actually takes the cake) of security breaches come from inside a corporation from current/former employees and contractors that have permission to access an organization's computer systems and network indirectly or not.
Most spyware/virus etc comes in as the direct result of user behaviour. Sure spyware comes from outside - because someone opened the door and let it in.
There was a survey done by PWC with NFO security with approx 1,402 respondents (businesses) this year.
Large businesses alone - 73% had staff misuse of web access (which of course can mean they are going to websites which, if security isn't tight can cause security breaches), misuse of email access was 81%, 66% had unauthorised access to system or data by staff, 31% of misuse in confidential information from staff, 49% had loss or leakage of confidential information by staff.
Not only that but small and medium/large businesses generally don't have 10000s of clients that purely rely on their system security and up time as their prime business. Also companies that have in-house servers are far more likely to have data leaks from physical access to the server.
36% of the worst security breaches in this year (So far) were caused by inadvertent human error (and a further 10% by deliberate misuse of systems by staff) 57% of small businesses suffered staff- related security breaches in the last year. 17% of small businesses know their staff broke data protection regulations in the last year
12% of the worst security breaches were partly caused by senior management giving insufficient priority to security
only 4% of respondents had a security or data breach in the last year relating to one of their cloud computing services Social networking and mobiles individually caused more of a security problem in the business than cloud (in fact more than double) yet 74% of large businesses where attacked by an outsider and 93% had a security breach.
Along with sever security as per usual on an in-house server and an increase in protection before threats even have a chance to touch the server gives you an added protection. Along with cut back in staff, cut back in security costs yet improved security are among the benefits for business. Yes, I agree hosting companies have more threats to deal with yet they by far have less penetration/breaches and in most cases more aware and educated on security.
Yes there are web hosting companies that are the exception, which won't last long which is why it is important to do your homework before going with a hosting company. To be safe you wouldn't go with a hosting company that has just started out but perhaps one that has been around for a while and has a good reputation.
It doesn't matter where it is it has the possibility of being hacked or having security breaches but I still stand by the fact that Hosting companies (in general) do have better security not to mention the removal of some user error/security breaches by their own IT (particularly small/medium businesses) who have IT people doing a bit of everything but nothing very well. Just because you go cloud/vps/ etc etc doesn't mean you don't add your own security of course.