When you host your database server on the public internet and have no rules preventing the public internet from accessing it are the same no matter what platform you use. There is the risk of a brute force attack against the database using the administrator account. These admin accounts always have the same username (root for mysql, sa for MS SQL, and system for Oracle) so the only issue becomes finding the password.
Hosting providers (and Microsoft via SQL Azure) will set an extremely hard to find password, and they will change this password on a regular basis.
It is still a best practice to not allow direct access to the database. In fact many hosting providers do not allow direct access to the database servers.