[peterwwillis]

Many, many, many systems (like CDNs, or high-profile financial firms) depend mostly on IP whitelisting for their public-facing origin security. Whenever there's "partners" or "3rd parties" that need access to some service but they want to generally keep people from the internet off it, they just get lazy and IP whitelist instead of creating a VPN like they should. There's probably tens of thousands of organizations with setups like this.

[Xylakant]

Depending on the required level of security, that is probably fine. Protecting the origin server of a CDN via IP whitelisting is fine, if the content is publicly available via the CDN anyways and you treat that as a "we don't want everyone to use the origin, please use the CDN"-level of security. Using whitelisting to really keep people off the origin, however is probably not.

[nwh]

For something like CloudFlare which in itself is designed to be a security filter as well as a CDN, having people able to touch the origin server (if they can find it) would be highly undesirable.