I don’t think the problem is MSPs as a whole, I think it’s cheap execs who go with the lowest bidder and the cheap MSPs who take their money to do almost nothing.

I worked for an MSP a few years ago. We used a monitoring tool, and on of our co-managed clients (a regional healthcare provider) used the same monitoring tool. When a major vulnerability in that monitoring tool was exploited, our client’s instance was hacked, and ours was not. As a good MSP we knew how to properly configure and secure the tool, while their in-house IT just installed the tool and moved on to the next thing.

TL;DR: Shitty IT people will be shitty IT people. I’ve cleaned up after a lot of incompetent internal IT departments, and an equal number of incompetent MSPs.