When they see the padlock on their screen, they feel that everything is safe. It's easy to use for a cybercriminal with numerous domains hidden behind the privacy services of various registrars.
Moreover, the subdomain wildcard option on each domain is handy for obscuring a URL in a phishing email.
Paid accounts make up about five percent of the domains that use Cloud Flare, according to news reports.
It's all a marketing effort anyway, whether paid or free.
(Their "data centers" are typically a rack or two of equipment that Cloud Flare ships to a real data center, along with installation instructions.) We asked Cloud Flare to confirm that sniffing is possible at these so-called "data centers," but they didn't respond.