The KB describes that the order of suggested ciphers has been changed.
ssh (and ssl/tls for that matter) negotiates the ciphers used by a prioritized list provided by both client and server. The first match they will use.
In this case the KB describes that CBC based ciphers has been put lower in the list so CTR will be preferred - but if the client only suggests CBC ciphers, you can force the Junos device to use CBC. This is basically what your pentesters are doing, trying to actively downgrade the security.
It's the same with https:// websites where you can have all your new TLS 1.2, 1.3 etc... but if you forget to disable eg. SSLv3, the client can force-downgrade the connection to SSLv3 if they want to.
The right solution is to decide which ciphers to allow, test that all your clients supports this scheme and then deploy on all devices in your network.
I hope that clarifies.