Although this article is pitched more at cloud security myths, it makes a very good point on cloud security. Here it is discussing a point in the context of fact scenario, but I think the point is clear.
The important fact about this situation: If this organization assumed that all security responsibility lay with the CSP (Amazon Web Services, in this case), it would be extremely negligent, because it had not taken important steps to address security issues for which no CSP could be responsible. This is what shared responsibility implies—both parties have to step up to the security aspects in their control, and failing to do so means the application is not going to be secure. Even if the CSP does everything correctly for portions of the cloud application within its control, if the application owner fails to implement its security responsibility correctly, the application is going to be insecure.
I sometimes see poor security practices by the customer resulting in incidents that they could have prevented and which the controls to prevent it were within their power and responsibility. Cloud service providers have tremendous security responsibilities- there is no arguments there. But you have not outsourced your entire security function. Good security practices are still necessary.