“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
Yes but here is the trick: when those companies found out their old applications had to be changed and legacy code had to be rewritten it was cheaper to move to the cloud/SaaS that is supposedly GDPR compliant.
GDPR applies to data in cloud too.