I don't know that this is debatable because companies are so different... Security threats can be categorized as internal or external threats. When you keep your data local your internal threats are limited to your employees with access to the systems or data, and your external threats are anything outside trying to find its way in. When you put your data up in the cloud you are opening up the internal threats to both your employees AND the employees of the company hosting your data, and your external threats to a much larger group of people targeting a much larger 'payday' by attacking the service provider. One blunder by that company, or one stupid employee at that company, and a lot of people can be affected, including you. Perhaps you have a big name and everyone wants your data - putting yourself up on the cloud might not expose you to many more external threats, but for small companies the risk of external threat by keeping your data local could be less.
So - if you have stupid people in your company emailing confidential documents or making their password "bigboy" then it doesn't matter whether your outsource or not. On the other hand if you don't have the want or desire to have a solid IT security person, then the additional risks of your service provider getting hacked are probably still less than the risk of your local network being hacked.