Cloduflare’s Universal SSL uses (as far as I’ve so far seen) only EC (Elliptic Curve) certificates, which many consider more secure than RSA certificates (where the key lengths discussed are 256bit EC vs. 2048bit RSA). You can read more about that, here: https://blog.cloudflare.com/why-are-some-keys-small/
Having said that, some very old clients (i.e. from 10 years ago… Windows XP, Android <= 4, and the like), haven’t heard of EC certificates, and will likely never will; Their only way to access sites secured with EC certificates is to use Mozilla Firefox, which does their crypto by themselves, not utilizing the OS’ ancient code. For all those people, your site will simply not load (it won’t be “not secure”, it will just fail).
Finally, on the CN of the certificate, your users will see Cloudflare’s domain, and not your hostname.
There is however a way around this: Dedicated Certificates in Cloudflare. If you buy that ($5/mo. assuming all your hostnames are only 1-level deep under the domain, e.g. www.domain.com, www2.domain.com, but not www.blog.domain.com) - on the free plan as well - you’ll get a set of 3 certificates: EC, RSA (modern) and RSA (ancient), in fact probably getting your more compatibility to really really old clients (though less secure…). You’ll also see your domain in the CN of the certificate.
However, all the certificates, including the paid ones, still require your clients to have SNI support, because you’re not alone on your Cloudflare IP address. That excludes clients from … 2006, I think? and older. This limitation may also exist in heartinternet’s implementation, I do not know. Not many hosts provide you with your unique IP for free…