You make some very valid points. Cloud certainly doesn't change the background certification and compliance requirements for customers and it's beholden on cloud service providers to support customers in their environments to continue to meet those thresholds and not introduce unnecessary complexity and costs.
Likewise the ability to control and command infrastructure via a virtualised login based system introduces it's own risks. The ability to delete large scale infrastructure is difficult in the physical world hosted in a high security data center so it's a high bar to meet with the cloud via an API or browser based interface. The cloud must achieve comparable levels of security to ensure customers have assurance regarding delivery of their computing infrastructure and data.
The good news is that a lot of progress has been made around these areas over the last five years and so, whilst customers need to be cognisant of the challenges and make sensible choices around providers, the tool-set does exist to meet requirements and the relevant key performance characteristics of core traditional infrastructure deployments. The debate then moves to one of commercial imperative; what makes sense to deliver via cloud? what makes sense to keep in-house? etc. Technical requirements should not define the debate any more.