1- Autodesk runs on Amazon Web Services, and AWS is probably the biggest attack surface on the internet by a huge margin. AWS also knows this, which is why they have one of the most impeccable security protocols and smartest network security nerds on the planet working there. AFIK, AWS itself has never actually been breached, though client applications running on top of AWS have been. It is important to note that the vast majority of those AWS client breaches are interfaces to very old systems (like COBOL stuff that banks run), and the leaks usually happen where older systems have been kludged to work with AWS. Autodesk simply does not have the same legacy problems as an outfit like Capital One.
2- The Fusion team designed the system so that all files are stored with 256 bit encryption. Everyone who has access to a file had their own copy stored, encrypted with their own individually generated user keys. Even if one were to breach Autodesk's S3 bucket, all you would get is a bag of 256 encrypted garbage. You would also need to breach Autodesk's live decryption application and somehow get full/live control over it.
3- Even if someone did both of those rather extraordinary things, they would still need to authenticate as the owner of each individual file. All of the file encryption keys are themselves encrypted on the server, and are only temporarily decrypted long enough to decrypt the file. The system doesn't even store the user's password and even Autodesk doesn't have direct access to a customer's file (unless you download it to your computer and send the resulting unencrypted version to them, or grant them access).
Put it all together and we are basically at the place where high-quality internet security has been for quite some time - unless you have the user's authentication cridentials (i.e. user name/password, and are using them from a non-suspicious location, on a non-suspicious system), the overall cloud thing is pretty crazy secure. The point of vulnerability in the Fusion cloud is not on the Autodesk side; it is on the basic user security hygiene side which has the universal attack vectors of phishing scams, social engineering, and device access.