Has anything changed on the topic of DDoS protection? Maybe new, better options? Cheaper, easier to set up?
Not really. I don't know of any better solution which wouldn't require a lot of manual work to keep it working.
Cloudflare actually isn't even very good at identifying bad traffic or delivering on several of its claimed features, but it offers two extremely valuable tools:
1. It completely blocks even massive IP/UDP/TCP flooding without any thought on the end-user's part. My custom DDoS protection was also able to block these attacks, but it required a significant amount of sysadmin work.
2. My custom protection failed against layer-7 attacks from 100k+ IPs. To handle these attacks, there needs to be some sort of proof-of-work/CAPTCHA challenge before the application starts making database queries and such. These challenges must exist on servers which will automatically scale to handle any number of requests, as needed. The challenge servers must have the HTTPS key in order to function. It would definitely be possible to do this without something like Cloudflare, and I've posted a general description of how it could be done, but both the coding and sysadmin work are more than I want to deal with.
Cost is a consideration, but not the primary one: I'd consider paying 10-30x more than Cloudflare's $250/mo, if this came with significant improvements. But as far as I know, you don't actually get much more by paying an "enterprise" DDoS protection company $5000/mo than you do by paying Cloudflare $250/mo, and in fact you often seem to get less.