It's not like CloudFlare can't see passwords if you don't use HTTPS. I don't think it's security theater, because CloudFlare being compromised is only one out of a large class of potential attacks.
That said, I fully agree that it would be nice to not have to trust CloudFlare.
That said, I fully agree that it would be nice to not have to trust CloudFlare.