You can misconfigure your SaaS too. And it’s not that difficult to learn how to secure your system… you just need to want to learn it, which is rarely the case. The topic itself is not that difficult, you don’t need to know cryptography in details in reality to make something secure. You just need to care. But most of the people are fine with copy-pasting from StackOverflow level of caring, which is absolutely not enough with security. But once again, you have the same problem with SaaS.

The main reason to switch to SaaS is that it’s less of your responsibility anymore. The decision is made mainly not because of technical but legal or budget reasons.

Saying "you just need to want to learn it" is oversimplifying.

It's not just learning how to secure it once, it's constantly watching for announcements regarding new vulnerabilities and being able to patch at short notice or being able to pull the infrastructure offline if you can't patch right away.

The world is a different place now with what virtually amounts to criminal companies trying to find every vulnerability that allows them to get into your system and either holding your data for ransom, extracting it for their own uses, or both. Even if you really do want to employ someone solely to stay on top of patching and watching for vulnerabilities, it's safer and often cheaper to let one of the big companies host your data.

You are completely right. I just wanted to say that people fail even doing the right thing at a given moment, and they absolutely fail when the right thing is even changing.