Masternodes are centralized because they are hosted on servers online, which are centralized. The large majority of masternode owners host their nodes on the internet, I'd say that's pretty centralized.
No. They are categorically not 'centralised' because of that.
Your talking about hosting of particular instances of the daemon as opposed to the logical architecture of the network. This word 'centralized' gets jumped on as if it's the holy grail of everything - a hammer that turns everything else into a nail. Its use with regard to cryptocurrencies alludes to the logical interaction of each node with the rest of the network. The whole *point* of a decentralised architecture is that things like machine hosting of particular 'nodes' have no bearing on this.
All of crypto, including bitcoin, is inundated with cloud mining facilities - in fact they are positively *promoted* all over the place. Despite that, if you consult
blockchain.info's metrics regarding mining 'centralisation', they're not remotely interested in who's hosting the mining nodes, rather what pools they are subscribed to.
This is just another example of picking some random aspect of a network's demographic (not its logical architecture) and manically banding about straw men based on it simply to have something to shout about.
Now lets consider a couple of extreme cases - say, [1] - if a hosting company were to shutdown all the nodes it hosted and [2] - if it were to compromise (take control of) all the nodes it hosted.
Case [1] is a benign attack. The nodes can simply be resurrected elsewhere (because, being wallet daemons, they are logically decentralised). It's no different in that respect from shutting down a cloud mining array - in fact it's even more benign since the blockchain hashpower isn't affected. That is secured by the regular mining function just as in bitcoin.
Case [2] is impossible. The attacker needs the private keys to the masternode collateral account to gain control a masternode and they are held offline and have nothing to do with where the particular daemon happens to be hosted.
Even if you did have access to the actual machines hosting masternodes, so what ? All cryptocurrency architectures have to *assume* bad actor operations in every aspect of their design. With the next revision of node blinding, you won't even be able to learn anything from the logs and even if you did, all you'd do at the absolute theoretical worst is de-anonymise some random transactions between one anonymous part of the money supply and another.
There's no systematic vulnerability there.