When we are thinking about security (rather than the functionality of a web application) there is often little difference between a GET and a POST. Consider the following examples:

1. Benign GET / repeated 1000 times per second. That's a DoS on the server

2. Shellshock. Looks like a benign GET / but nasty payload in User-Agent header

3. Simple GET but with SQLi in the URI 

Depends what you mean by 'static content'. If a web site was served entirely from Cloudflare's cache then I wouldn't be worried about #1, #2 or #3 above. Any time we hit the origin web server I would worry.