Cloudflare does have test colos that use a subset of real network traffic for testing. It's actually the primary testing methodology, and the employees are usually some of the first people forced through test updates.
This release wasn't meant to go out, and the fact it did means it would have bypassed the test environments either way.
1. Why are WAF rules not progressively deployed since there's already a system to do so?
2. Maybe there should also be a testing environment that receives a mirror of production traffic before deployments reach real users?
(I understand the WAF change was not set to take action, but a separate environment would be less likely to affect production)