There are some very positive recommendations in your post.
Some things you mention, but don’t/haven’t implemented in your sample site.
You also seem to discard some things (all to easily) when you haven’t been able to implemented them to their potential perfection.
All in all a good post; and a good start for positive dialog on a very timely topic.
I my review of your sample site…
When implemented correctly, you could benefit from the addition of:
RSA cert 4096 bit (in addition to the existing ECC cert - dual certs)
DNS CAA (RFC 6844)
TLS 1.3 (RFC 8446)
DHE (0x9F) [with 4096 bit DH prime]
ARIA (0xC05D)
HPKP (RFC 7469)
Additional Named Groups (brainpoolP512r1, sect409r1, brainpoolP384r1)
Things you might want to remove from your sample site report:
HTTP server signature = Apache/2.4.35 (LibreLAMP) LibreSSL/2.8.2 PHP/7.1.23
Server hostname = librelamp.com (rDNS for 45.79.96.192 & 2600:3c01:0:0:f03c:91ff:fee4:310c)
Again, ONLY “when implemented correctly”.
And I can’t stress this enough: If you can’t implement something correctly, then just don’t.
That goes to everyone [not just to you nor to myself]