If it's not exposed to the internet, an out of date on-prem is still better than everything on a massive centralized public vendor server that 5 nation states are hacked into.
GitLab had a permission escalation issue that I saw unpatched on an on-Prem install. Contractors accessing it via VPN (and even local employees) would have been able to access repos and actions they didn’t have permission to access.
And it’s not like nation states can’t attack companies directly.
Nation states only attack companies they care about. That's the point. Once you have your info on slack, you share the fate with the million other companies that nation states might care about.
If 5 nation states hacked into the centralized public vendor they'll find a way to get into someone's on-prem version of the same, especially if they are the type to let it go very out of date.
The difference is that they will only hack into your on-prem solution if you are the target. With a central service, all of slack's million customers get compromised because of one single hack.
