A cloud-based IAM system is not "inherently" less safe, just riskier than an on-premise system in the sense that you have less direct control over its routine operation and the people who interact with it on the contractor's end. But in reality this is no different than other services a company contracts, like document destruction/archiving, for example: if you deal with an established organization that has implemented proper QA and security best-practices (ISO-27002-certified, for example) and have read the TOS thoroughly to understand what recourse you'll have if something happens, you can minimize that risk.
That said, there can be other issues related to architecture/integration/configuration that might increase potential risk in a IDaaS-type scenario - for example, if the platform doesn't follow an active-active type architecture, there may be risk of data corruption/loss if an outage was to occur and the backup system needs to be spun-up before picking up the slack. The "cloud" is just someone else's computer, so the same issues found with the performance of on-premise solutions can occur if the contractor chooses a technology & architecture that is not stable under heavy use and able to recover quickly from an outage.
A while back a vendor sent me a couple of pretty good white papers on this subject, so I've posted them on a public FS site in case anyone is interested - link is https://gofile.io/?c=G3IKbg and should be good until 05/31.
Am taking the view that the credential stuffing attacks are automated and your customers are individuals using a browser? If my assumption is correct then check out Cloudflares BOT management service https://www.cloudflare.com/en-gb/products/bot-management/
Of course user education and incentives to use a password vault that selects a unique random password for all services would also help towards prevention.
Plus as already mentioned 2FA all the things.
I am biased, because the author is a friend of mine, but I agree with and appreciate the insights in Why CISOs Fail: The Missing Link in Security Management--and How to Fix It.