This will continue until there are serious repercussions for a company.

Unclear who is responsible here, Allianz or their third party "cloud-based CRM provider."

But I think that fundamentally, secure cloud-based SaaS is impossible. This stuff needs to be on-prem and airgapped from the internet. That makes some functionality complicated or impossible, but we're seeing that what we have now is not working.

Allianz have more than 150k employees with offices in 50+ countries. Not all of them need access to the CRM of course, but I think going back to on-prem is just asking for different kind of trouble.

We don't have any details now, but I wouldn't be surprised if the cloud-based CRM provider didn't have a very technical interesting weakness, but rather that some kind of social engineeringy method was used.

If global companies like this instead had stuff running on-prem all around the world the likelihood of more technical vulnerabilities seems MORE likely to me.

(Air gapping is of course possible, but in my experience, outside of the most security sensitive areas the downsides are simply not acceptable. Or the "air gapping" is just the old "hard shell" / permitter based access-model...)

Airgapped means you're transferring data by thumbdrive or CD, which is hugely impractical. You probably meant firewalled.

Buck stops at Allianz but the 3rd party might share some of the minuscule cost of bullshit identity protection services

There are inherent tradeoffs when using centralized solutions like that; unless the company does not use any third-party software and is paranoid about its security - these incidents and breaches will occur, unfortunately.