A typical SaaS vendor has numerous clients, all with varying levels of sophistication in their password and identity management procedures.
As if the need to ensure tenant isolation does not put enough pressure on the architects, they also have to worry about how well their customers are securing their own staff. The smart ones are doing Federation for predictable data transfers, and two-factor to secure the application layer. Even then, the legal people still make them sign disclaimers that ultimately, data breaches due to compromised credentials are the responsibility of the authorized bearer of the credentials.
It sucks to have to secure a slew of web servers, especially for those who have to run LOB apps on Windows platforms. VDI is being used pretty heavily on that front prevent information leakages. It's cheaper to spin up a session for them via a webpage, than it is to trust that their client is secure. Not to mention easier to maintain and troubleshoot. Staff can shunt the user to a clean session, shadow it, hold the user's hand through whatever.
On the plus side, with a good cloud provider, when your datas get pwnt, it is replicated somewhere else. Maybe even on tape in some cold, humidity controlled warehouse. Because no matter how good security is, sooner or later, it will get compromised.
At that point though, it is all about RTO/RPO which is outside the scope of security. BTW even with LTO6, restore rates from cold storage still blow.