That's incorrect along a couple different axes. The biggest problem is, most providers wouldn't be hosting ColdFusion code at all; ColdFusion is archaic and has a terrible security track record. But even if they'd built that UI in Scala, the onus is on the hosting provider to make sure the code is safe.

Being a hosting provider is a big, big deal. They have less margin for security errors than almost any kind of tech company.