A new 2010 comprehensive report on data breaches by Verizon and the US Secret Service shows that most of the breaches occurred on internally located and managed systems. Many of these are database and application servers. The report says that based on their data and analysis they cannot conclude if using cloud computing and SaaS makes it less likely that a data breach will occur. This is clearly an area that requires more study.
Most of the hacking and cybercrime target systems that are worth money and easy to access. Large institutions are not the only ones at risk. That may be the largest payoff, but larger institutions tend to have more money and personnel to throw at the problem. Some smaller organizations may not have the staff or technical expertise to shore up their systems. This makes them vulnerable.