There are many variations of IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and Cloud services. Some are public clouds, and some are hybrids, and some are private. There is also the possibility rent an external VPS (Virtual private Server).
The principle is simple: the provider gives you access to a virtual server. It is designed to your needs when it comes to RAM and storage. And the provider provide you with the hypervisor needed to host you operating system. Other than that, it is an empty server.
If it’s online, it’s a target
Anything that is reachable via the Internet will be targeted for intrusion attempts. Hence, your servers are targets, wherever you keep them.
You are responsible for your own servers, and therefore you need to manage them the same way you would with any physical servers. This includes monitoring security and the availability of services and applications.
Some service providers do have app shop or a control panel where you can get preconfigured software, such as antivirus or intrusion prevention software (e.g. Syspeace).
What are your neighbors doing?
Your VPS shares “IP-space” with other customers within your provider’s network. And let me be frank: You have absolutely no idea of what your “neighbors” are doing or if they are security aware at all.
They may have been hacked without you (or them) knowing it. They could have the IP address right next to you and their server could be used for port scanning or hacking attempts against your VPS.
Your provider does not monitor your VPS
The provider usually would not know either since it is not their responsibility. Their role is to provide their customers with a VPS. Nothing more. No security monitoring, no antivirus, no application, or service monitoring.
When you have set up a server and it is up and running, there is no connection between your user database and login mechanisms on the VPS on one hand, and your IaaS/PaaS systems on the other. Hence, they will never even get any alarms if someone is trying to brute force your server or your web application.
(They will however be alerted in case of a large DDoS attack against their entire network,)
It’s up to you to protect your server
In short, it is all up to you.
You need to secure the servers. You need to have an antivirus and monitor your services. You need to keep your web application login secure – both from malicious code and from brute force logins (for example with Syspeace).
So, using a VPS solution will give you lower hardware costs, but other than that, the difference is just about location.