Not to defend them, but it doesn't matter if a hosting provider does that. So long as you can sue them for your full damages when it goes wrong.
That's the whole point of SaaS isn't it? We pay you to manage this, you manage it appropriately taking advantage of economies of scale, we sue the shit outta you if it goes wrong.
The whole point of saas is someone the CTO can blame when things go wrong.
Doesn't matter if the downtime is higher, doesn't matter if there are more succesful attacks.
If a CTO goes in-house, they carry the risk. If they outsource it to a vendor, especially one with a Gartner report, they can play golf and not risk their bonus.
Or, you might pay an insurance company to cover you for the risk - and so long as you have the right attestations from your SaaS providers, your insurer pays out in the event of a problem (and maybe goes after the SaaS if they feel the need to).
That's the whole point of SaaS isn't it? We pay you to manage this, you manage it appropriately taking advantage of economies of scale, we sue the shit outta you if it goes wrong.