on your second point, I'd be careful before making that assumption. Without evidence there's no reason to believe that a supplier company will have better security than your own and it's entirely possible they don't.
Also should a supplier suffer a breach they have powerful incentives not to disclose that breach to you, and where intellectual property is involved (e.g. code) the theft may well not become immediately apparent.
The provider has a specific set expertise that's probably better aligned with hosting this service. Since it's a revenue center for them, versus a cost center, they're better equipped to make the case to hire specialists.
The your second point - legalese is very beneficial for that. In the US at least, as long as it's not a protected (by FISA, etc..) organization breaking into your provider's systems, contract law covering compromises is a fairly well developed area.
Also should a supplier suffer a breach they have powerful incentives not to disclose that breach to you, and where intellectual property is involved (e.g. code) the theft may well not become immediately apparent.