I assume the extra hoops for when you need to support 'the thing'. When you host 'the thing' you are fully aware of OS, versions, updates/upgrades/patches (both functional and security), you are aware of the number of users, Profiles (they didn't go on to create the profile PizzaAuditorBurger with FULL-ADMIN-on-the-whole-Galaxy and at the same time disable every audit log ever made).
Basically it's about control.
Depending on the client and the type of SaaS you are offering it may create the headache for a SOC2/PCI-DSS compliance/HIPAA/etc reports/compliance/etc. While if they host it, then it's their problem :)
So..
Cloud.. you got headaches but control the narrative, version, etc.
On-prem.. they got headaches but you can charge them more hours when supporting.
(I once worked on a Programme for a mega-big company that was closing down its data centers and moving assets on a managed private cloud - I was the Compliance Lead for that project)(it involved SOX, GDPR, and the promise of 2700x)(together with the mandatory updates because some on-prem apps haven't been updated for YEARS and were still running on Win2000)(which Win2000 have the most beautiful desktop background color ever-ever-ever)(but still.. we're talking that this happened after 2015)
EDIT: Also.. if anyone is looking to hide someone in Europe to run their SOX, GRC, Internal Controls Monitoring.. I am looking (and I know the tricks to get compliance actually happen - with minimal pain)
