And better credibility when you say “Our vulnerability was on AWS and configuration is hard, but at least we had the default VPC config” rather than “We maintained our own stack and being sysadmin is hard, and the port was exposed on the web.”
Modern cloud services such as S3 or let's say MongoDB seem to have a lot more security footguns than old-school bare-metal. An S3 bucket misconfiguration exposes your data to everyone even if there was never a reason for that data to ever be exposed to the outside world. On a bare-metal, chuck it in a directory outside your web root and someone will have to actually breach the server before they can steal the data.
