Nothing, anywhere, is perfectly secure. There are always vulnerabilities. We just don't always know what they are until it's far too late.
However, I still land where I always land on this. Mostly, Microsoft is going to do a better job than most organizations at securing stuff, most of the time. NOTE: not all, not all the time, not everywhere. Certainly, there are some orgs that are going to be better... or, they're just small enough that they haven't had the full focus of serious hackers just yet.
Regardless, you kind of have to assume, at some point, you may be hacked. Backups, offline storage, other stuff along these lines will always be prudent. Cloud or not. Microsoft or not.