Well, it’s definitely old–20 years old, to be specific. There are known vulnerabilities (even if they can be mitigated), and it supports a number of insecure cipher suites (which can be configured out). TLS 1.2, the current real standard (TLS 1.3 isn’t official yet, but there seems to be a widely-agreed pseudo-standard at this point) is itself over 10 years old. But my confusion was more that a given “TLS policy” (1) does things that don’t have anything to do with TLS (like the SSH configuration), and (2) configures different services to do different things.
On the latter point, my expectation would be that “TLS policy X” configures all services that use TLS at all, to use the same set of protocols and cipher suites. Maybe there are technical reasons this isn’t practical, but that’s what I’d expect a “TLS policy” to do.
Now, as to the question on TLS 1.0, yes, I think we should create a policy to deprecate that (and TLS 1.1) entirely, allowing only TLS 1.2 and 1.3. That should pretty well address the cipher suite issue as well. It will break compatibility with IE < 11 and Android < 5, so I’d think it should be an option rather than the only setting, but I do think it should be there (and probably be the default for a new install).