The major cloud vendors have invested in the best people, technology and processes. They have spent billions setting up world class datacentres. Everything is independently validated and verified by some very clever people. How secure is it? Let's put it this way. Its hard to find something more secure than a server that is powered off, disconnected from the network and securely locked away. When you sign up to Azure or AWS this is what you get. Nothing is connected, configured or powered on. However, as soon as you start creating your first environment all that security and control is no longer the vendors responsibility. Its yours.
Let's take a step back for a moment. Have a quick look at the Microsoft Azure Compliance page. It's an impressive list of industry specific standards. Each of which are independently verified. These standards relate to every aspect of service delivery. Things are very well managed and its secure. What some people seem to forget is that these standards do not apply to virtual machines, networks, storage or services that you create. Why is this point important? A disproportionate amount of time is sometimes spent agonising over the cloud vendors security and industry standards. Not enough time is spent reviewing the impact of internal processes, or lack thereof, will have on security. Your own people are more likely to make mistakes and compromise the security of your environment (when has this not been the case?). If you need your public cloud vendor to meet industry specific standards then its a very binary process. They either meet the standards or they do not.
How secure are Public/Hybrid clouds? They are incredibly secure right until you turn them on and start to use them.