Most of the things people get dinged for in this kind of report are things that were already fixed in modern TLS.
If you set your clients and servers to TLS 1.3 only (which I consider the modern TLS stack), you only have a handful of ciphers to choose from (AES128-GCM, AES256-GCM, and ChaCha20-Poly1305), which avoids any issues with CBC constructions. Most of your issues are going to be around x.509 certificate processing, because TLS protocol and ciphers are easier to use correctly than in the past, but x.509 hasn't changed significantly.
If you set your clients and servers to TLS 1.3 only (which I consider the modern TLS stack), you only have a handful of ciphers to choose from (AES128-GCM, AES256-GCM, and ChaCha20-Poly1305), which avoids any issues with CBC constructions. Most of your issues are going to be around x.509 certificate processing, because TLS protocol and ciphers are easier to use correctly than in the past, but x.509 hasn't changed significantly.