It’s using Mozilla’s “intermediate compatibility” cipher suite configuration.
https://wiki.mozilla.org/Security/Server_Side_TLS
https://mozilla.github.io/server-side-tls/ssl-config-generator/
In my opinion, it’s a reasonable choice. In my opinion, a different configuration – like Mozilla’s “modern compatibility” option – that reduces compatibility with old clients and increases security is also a reasonable choice.
As you said, the least good options are at the bottom of the list, so modern clients will always choose something better.
It’s your choice whether to stick with the default or change it to something else.
Editing the file should be safe. I think any changes will be preserved next time Certbot is upgraded, but I’m not 100% sure.
Future versions of Certbot may make these options more easily configurable.