Programs like web servers that expose a list here are doing that because the libraries they use did that, not because it makes any sense to configure it this way.
Of course the real fix is to change libraries to offer an appropriate API but handling the distance between what a pre-existing library does out off the box and what users want/need is the whole point of application software.
Later TLS 1.4 comes out. How can I allow new TLS 1.4 and existing TLS 1.2 clients without allowing TLS 1.3 clients using your method.
The server software would have to be updated to include a blacklist or go back to being an ordered list.
In my opinion, the `ssl_protocols` config should accept a string like "TLSv1.2+ -TLSv1.3", basically stating a minimum version, allowing exclusions and including anything newer. In the same spirit, one should be able to do "TLSv1.0-TLSv1.2" for setting a maximum, with specific exclusions if a new TLS version ever becomes a problem.