I tried to explain my (and many other people on the Certbot team’s) opinion on this issue at https://github.com/certbot/certbot/issues/1123#issuecomment-307879558.
We could potentially revisit that, but the short version is you should feel free to modify /etc/letsencrypt/options-ssl-nginx.conf with the values you want. What will happen is when we ship updates to that file in the future, we will print a warning once that there were updates to the file which we did not apply because of your modifications. That warning will include the copy of the updated file included in Certbot’s installation which you can look at and copy over changes if you wish.