If Cloudflare can't get an email unsubscribe process to be GDPR compliant, should you trust them to handle the many far more privacy-relevant things they offer as a company...?
I have no dog in the fight (I'm not connected or loyal to Crowdflare whatsoever), but this is a non sequitur.
Companies work to priorities lists based on how important things are for customers. So it's perfectly plausible that the very reason they're not flawless at removing cancelled users from all their email databases is that they're too busy focusing on, as you put it, "the many far more privacy-relevant things they offer as a company", which they regard as far more important.
I'm not saying that's definitely the case here; I have no idea of any specifics. But I've definitely seen things happen that way in other companies/teams I've observed.