There’s no way you should have gotten that with a default configuration with the current options. What were the noted concerns, and which test platform noted them?
And I agree that HSTS is something that needs to be explicitly enabled by the admin once he’s sure the TLS configuration (including renewal, especially if using Let’s Encrypt) is working properly. It should not be enabled by default.