GCM isn't supported on older versions of almost everything.
Upgrade servers to 2012R2, latest versions of Linux, throw away your old phones, check out your legacy devices...
Security isn't a question with a right or wrong answer, it's a question with the best answer for the available information and the clients you have at the time. And those answers are changing daily with all the research being conducted.
While that would be nice, it doesn't fix the problem, that problem is
If you are administering SSL enabled sites, you MUST keep track of latest security practices
Why is that? If you add a new server with different defaults, do you a) update all the other servers to the new defaults, or b) set the new server to your existing configuration.
Most server applications don't change defaults between minor versions because it leads to even worse problems. Such as users not updating because their application breaks and keeping old bugs alive.
The combination of recommending to use modern cipher modes with no known vulnerabilities and HSTS can be lethal.
Older clients won't even know you're there. No first page, no contact info, nothing. Just hang on page load. It might not always be desirable.
It might be a good idea to have two security levels if you're doing HSTS. One to accept every cipher under the sun to use for public pages and data, and a secure one to use to protect session cookies for logged in users.
BEAST attack comes out... Use RC4.
Not long after.. RC4 is weak use GCM.
GCM isn't supported on older versions of almost everything.
Upgrade servers to 2012R2, latest versions of Linux, throw away your old phones, check out your legacy devices...
Security isn't a question with a right or wrong answer, it's a question with the best answer for the available information and the clients you have at the time. And those answers are changing daily with all the research being conducted.