SAAS (Software As A Service) seems ideal for the business. No hassle with machines that need to be bought, software that needs installing and IT personnel that needs to be paid.
When the SAAS is acquired from a reputable big company often the SAAS solution is well organized. That is also true for the security of that solution. When the SAAS solution is acquired at for instance Big Red O they have network segregation, background checks of personnel, extensive high available infrastructure, disaster recovery site and even a procedure to explain how the data will be deleted.
But how do you know ? Because a lot of money is spend with the supplier it will be organized is a secure way? One can also spend a lot of money at providers that do not provide such a secure service, as the research security market for "lemons" has shown, see Ross Andersons paper: http://www.cl.cam.ac.uk/~rja14/Papers/econ_crypto.pdf
A lot of SAAS providers have not gone thru the processes of checking all security angles. As will quickly be clear when the provider is asked for a SAS 70 type II report, an auditor format for a report that has a auditor check the security setup of the provider.
Reading and checking these reports can help to double check the security assumption that otherwise could be the mother of all...