Regardless of who hosts it, you're still at the whim of Apple's security folks. Lots of unassuming targets would now be quite interesting, especially with an "official" version to crack against.
By that logic, you're always at the whim of the vendor's security unless you write all your own software from scratch. Mimcrosoft, Apple, Red Hat, Ubuntu, SuSe, etc. all are the same in that regard. Since almost no one actually does that, it's not really a helpful observation.
However, if the data is hosted on a server I control and own, I can take responsibility for the security policy. It's about control as much as anything else. For example, I can block all devices from connecting or even receiving a response except a whitelist of only my devices' MAC addresses. I like that security policy.
Really though having your own iCloud server is more of a business necessity if Apple is really serious about expanding into the business side of things. Lawyers are now bound by certain ethical rules in many states to keep their digital client files secure and private and to prevent disclosure in all circumstances - most cloud services do not qualify. Doctors are under similar privacy and control requirements under HIPA. Many corporations, while not bound by law, may have policies that prevent the use of outside cloud storage for glod reasons such as protecting trade secrets from being stolen or protecting sensetive data from leaking.
Does Apple really not want these large sectors that are known to spend a lot on to not use their iWork suite or not use their iCloud file sharing system that many third party apps use?
Sure would be nice to host my own iCloud server...