I’ve had cases where legacy TLS has become active. A support ticket indicated to drop the minimum TLS and raise it again to redeploy if this happens. (Turn it off and on again!)
Even with minimum TLS set to TLS v1.2 there are some ciphers that would be considered weak. I use ACM with this API call to disable ciphers I don’t need:
curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${zoneid}/settings/ciphers" -H "X-Auth-Email: ${auth_email}" -H "X-Auth-Key: ${auth_key}" -H "Content-Type: application/json" --data '{"value":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-CHACHA20-POLY1305"]}'
The TLSv1.3 ciphers cannot be changed, but there is no known issues with the three that Cloudflare support by default.