Cloudflare pushed out free TLS years before Let's Encrypt and we are actively working on and supporting QUIC and HTTP/3. But QUIC/HTTP/3 aren't here today, not everyone is using HTTPS and there are other worries in coffee shops etc. hence a VPN service makes sense.
There is a bit of a difference between LetsEncrypt and Cloudflare TLS termination though... one is TLS for everyone, the other is TLS for Cloudflare customers (paying or not). For instance can an Iranian website use Cloudflare TLS? I would wager not. (ironic as they probably need secure transport the most).
I'm not saying Cloudflare isn't doing good things for the Internet but it's a bit disingenuous to equate the 2 efforts.
Cloudflare could have done LetsEncrypt, but as a CDN that would make no business sense - which is why we need LetsEncrypt, so they can continue to do the things that don't make good business sense for Cloudflare.
CF is at the mercy of the CAs (DigiCert/Comodo), and at least based on LetsEncrypt's stance [0], they should be OK to issue .ir certificates as long as the customer is not a Gov't entity. The only issue is that these CA's are just playing it safe by not issuing any .ir domains, making CF also unable to issue .ir.
I believe CF is working on LetsEncrypt certificates, at least based on letsencrypt.org being included in the 'automatic' CAA records[1].
