One issue I never see mentioned are leagl requirements for auditability. There are many types of database-centric applications that are legally required to keep data on premises; for example, pharmacies. The first thing pharmacy auditors do is that they lock the door and then they disconnect the computer. Brokerage systems must keep their databases within the jurisdiction that licensed them.

Like or not, for tyhese apps you would have to change the law before you would even consider security.