it still is providing more security. yes it has a security hole, but for example if i'm in starbucks - you can't sniff out my cookies over the ssl encrypted traffic. Sure a backend provider can, but it's a layer of protection... I suppose an interesting question here is there away for the browser client to detect this type of hole and alert end users to the risk...

No, it's fundamentally impossible - as far as the browser is concerned it's talking to a server that's speaking HTTPS (CloudFlare's server) and it can't possibly know what that server's doing behind the scenes.

If I see HTTPS in the title bar I expect the owner of that certificate to be responsible for the content I'm seeing. It's utterly irresponsible of CloudFlare to enable this kind of configuration.