Perhaps the security staff are convinced that either Google doesn't actually have access to it in any practically-concerning sense (https://www.quora.com/Can-Google-open-and-see-files-in-my-Go...), or the risks associated with that access are negligible?
I think you've hit on a very interesting point. The fact that IT security staff (with careers and reputations on the line) do sign off on companies using Google's platform for business applications that include passing sensitive data around might indicate that our assessment of the risk model is flawed?
I'm talking about actual information about what Google does with their data.
The cost-benefit analysis and risk tolerance doesn't tell us about how much Google secures their privacy, it tells us about how much the company cares about their privacy/security.
Beyond that, it's a trust and a penalties-for-violating-policy exercise.
And I agree with you: you can probably tell volumes about how much a company cares about the risk factors based on who they trust. But I don't generally think companies are being ignorant placing their chips on Google---it's a big org with a lot to lose if something goes wrong. That gives it advantages over either smaller competitors or rolling one's own (factoring in that to match the security of a dedicated service's cloud offering while approaching the convenience of such an offering, you basically have to hire your own full-attack-surface-spectrum infosec team, and that's one more line item in a small company's budget).
I think you've hit on a very interesting point. The fact that IT security staff (with careers and reputations on the line) do sign off on companies using Google's platform for business applications that include passing sensitive data around might indicate that our assessment of the risk model is flawed?