General Data Protection Regulation don't exist in vacuum, other laws are regulating data handling. Most importantly, accounting related regulations.
So, if you request your account deletion, all billing related information is still hold - that is probably 7 years in all EU countries. Sending unwanted mail for those addresses is different issue though, but having contact data as part of billing data is legal.
Yes. But for all personal data the purposes for which it may be used is limited: generally[0] only the original reason for collecting the data or the legal basis for keeping the data dictate the uses. So anything kept for use in filing taxes or other bookkeeping obligations must only be used for those purposes.
[0] it is possible to use data for other purposes than originally collected in some circumstances, but I'm not sure if there are many legal precedents for that yet.
If Cloudflare can't get an email unsubscribe process to be GDPR compliant, should you trust them to handle the many far more privacy-relevant things they offer as a company...?
I have no dog in the fight (I'm not connected or loyal to Crowdflare whatsoever), but this is a non sequitur.
Companies work to priorities lists based on how important things are for customers. So it's perfectly plausible that the very reason they're not flawless at removing cancelled users from all their email databases is that they're too busy focusing on, as you put it, "the many far more privacy-relevant things they offer as a company", which they regard as far more important.
I'm not saying that's definitely the case here; I have no idea of any specifics. But I've definitely seen things happen that way in other companies/teams I've observed.
If Cloudflare is unable to even remove a deleted account from a mailing list, how do you know they have actually deleted ANY other information?