Hey,
we already looked into this. Unfortunately we have not found a satisfiying solution.
The option --ssl-version TLSv1_2 disables all other versions including TLS1.3. That’s why we haven’t set this option.
The actual risk is very small, since the only client is the agent-controler. This brings its own TLS stack which does not support TLS1.1 or lower. So downgrade attacks on this communication is not possible. So security-wise I see no risk here (except automatic compliance scanners 
)
In Checkmk2.2 a newer Python version will be used which does not support TLS1.1 and lower.
On the long run we would like to put the site Apache in front of the agent receiver, unfortunately this is currently not possible.
If you disagree with the risk assessment I’m happy to hear the arguments, if you just want to be compliant, the solution of @stager999 is the one I would recommend.