OK I see two issues:
1. Larger organisations being able to allow internally-hosted and supported applications and webs. This does require in-house expertise or else contracted support and development from external organisations. However it may be preferable to host the data in-house (even if at a data centre) and retain maximum control. This needs to be balanced up with cost factors.
2. Smaller organisations needing external support and hosting to provide their needs. There are a number of companies specialising in this now and if the issue is security then surely it comes down the small print on the contract and the selection of the data that should be hosted externally, no? A hosted application would be subject to a number of security measures just as would hosting of data which is accessible to a company without application hosting being done by someone else.
So I don’t see that the smaller companies are being excluded, simply their cost base may dictate that they use external hosting, then it is simply a question of good judgement and using budgets to leverage services and benefits from external providers.
authentication and authorization methods
Encryption should be utilized for both data in-transit, as well as data–at-rest