I’m fairly confident that in the same breach scenario (laptop with admin permissions taken over), most small orgs would fare worse. The CI system would likely be behind a VPN, but the laptop would likely have those credentials, so it would not stop an attacker.

A small, 20 person org has maybe 2 people assigned to ops, so monitoring and breach detection is likely worse.

Now, a small org may be a less attractive target and some orgs can have top notch security people, but on average, the trade-off is likely not in favor of hosting your own.