Yes, a third party that handles storing cc info is more of a target, but they specialize in these things and have people and systems continously watching and checking the data and the requests. A hacker doesn't have much time after they infiltrate these type of systems - because there is a team on alert to the situation. If you handle it yourself, you may never even know a hacker stole information at the most once a day - if your company had such a policy in place to check the logs on a daily basis, which I'm guessing his won't.

Using a third-party, from a legal standpoint - they will have the resources to prove they made a best-faith effort to secure the data. Not having systems or live people overviewing the continous processing would probably not constitute best-faith in court. If I owned a small company, I would rather pay a measly transaction fee than be held accountable for losing 100's or thousands of credit card numbers to hackers.