We use a combination of both. Our servers are broken down by tier level for Disaster Recovery purposes. Tier0 and 1 servers we keep local backups replicated to our second data center available as well as sending tapes off site. All other tiers we send tapes off site and call them back of needed. So for us it is determined by how important that server is to the functioning of our organization.
We use mostly onsite. Historically, we went the path of having storage onsite.
In the last few years, we do have some ancillary applications being hosted by 3rd parties. But we dont distinguish between the storage and the app, its the whole deal that is offsite.
We have 3-tier architecture Backup Policy. Tier-I is daily/weekly/monthly onsite. Tier-II is daily/weekly offsite no. 1. Tier-3 is weekly offsite no. 2.