I assume CloudFlare has a TLS signing cert that chains to a cert from a CA that is trusted by browsers, so generating new certs is likely free for CloudFlare, but IPv4 addresses are not free, and not particularly abundant these days.
Customer-provided certs (using SNI) probably doesn't pass CloudFlare's compat tests as there are unfortunately enough clients out there that don't support SNI. The only alternative then, if SNI and multiple IPs are out, is a single cert with lots of subjectAltName entries.
Cloudflare has to issue a single SSL certificate that is shared across multiple sites. The cost of a certificate is not proportional to the number of alternative names in the certificate, and is a fixed cost.
As a downside to this, they have to use SNI, which is not supported in any IE+XP combination, along with a few older mobile browsers as well.
You're mistaken; certs with multiple SANs don't make use of SNI. SNI is used (required) when you have multiple distinct certs. CloudFlare is not using SNI likely specifically because of the IE+XP issues (among others) that you point out.
Yeah, I got the two mixed up. SNI doesn't mean multiple hostnames on a cert. It means multiple certs on the same IP.
However, due to high costs behind getting IP addresses, CloudFlare does use SNI for its free tier. Its paid customers on the other hand get their own IP per hostname.
Customer-provided certs (using SNI) probably doesn't pass CloudFlare's compat tests as there are unfortunately enough clients out there that don't support SNI. The only alternative then, if SNI and multiple IPs are out, is a single cert with lots of subjectAltName entries.