Our configuration doesn't support for IE6 or IE8 on Windows XP, but that's the only downside. Also, this configuration has 100% forward secrecy :)
Finally, you can get an A+ rating for free with StartSSL's free option, then using the SHA2 intermediate certificate[2]. This is what I use for my pgp keyserver[3].
The problem here is not "how to have a secure configuration", it's really "why is it not secure by default"; we actually need more "secure by default" because it largely reduces the chances of doing it wrong.
You can keep your A+ and add IE8 on XP, plus boost your key exchange to 100%[0], by following Mozilla's TLS docs[1] and sticking with the default Intermediate ciphersuite.
You might also consider disabling server tokens to hide your Nginx version (server_tokens off;) for a bit of 'security through obscurity' and enabling SPDY (listen 443 ssl spdy;) for a performance boost.
Also worth pointing out is the upcoming Let's Encrypt project[2] which will make domain validated certificates free soon.
What prevents me from using 'Modern' is it requires Android 4.4+, which excludes a hell of a lot of mobile users. I'm okay with dropping XP support but dropping Android 4.3 and earlier is too limiting for me.
Finally, you can get an A+ rating for free with StartSSL's free option, then using the SHA2 intermediate certificate[2]. This is what I use for my pgp keyserver[3].
[1]: https://www.ssllabs.com/ssltest/analyze.html?d=utilityapi.co...
[2]: https://www.startssl.com/certs/class1/sha2/pem/
[3]: https://www.ssllabs.com/ssltest/analyze.html?d=sks.daylightp...