The information on ciphersuite.info is not presented in the clearest of ways. Let’s have a look at their FAQ:
What does insecure, weak, secure and recommended mean?
These ciphers are old and should be disabled if you are setting up a new server for example. Make sure to only enable them if you have a special use case where support for older operating systems, browsers or applications is required.
Secure ciphers are considered state-of-the-art and if you want to secure your web server you should certainly choose from this set. Only very old operating systems, browsers or applications are unable to handle them.
All ‘recommended’ ciphers are ‘secure’ ciphers by definition. Recommended means that these ciphers also support PFS (Perfect Forward Secrecy) and should be your first choice if you want the highest level of security. However, you might run into some compatibility issues with older clients that do not support PFS ciphers.
So to be frank: Weak means these have problems and should be avoided at all cost. Only enable these if you know you really really have to. Secure means they’re not technically broken, but they also don’t offer any desirable features. Recommended means these are the ones you should actually use.
I would disagree with their statement about incompatibility. The only clients that do not support modern ciphers are already outdated clients and no longer supported anyways. These clients should be dropped unless you have a very good reason to support them.
Why are these ciphers in particular considered weak?
As Soufiane Tahiri pointed out in his answer, CBC ciphers and RSA ciphers are not considered state-of-the-art anymore.
CBC ciphers have quite a lot of problems, such as the mentioned Lucky 13 attack, or other side-channel attacks. CBC also violates Moxie Malinspike’s Cryptographic Doom Principle:
If you have to perform any cryptographic operation before verifying the MAC on a message you’ve received, it will somehow inevitably lead to doom.
GCM, for instance, does not violate this principle, so it is vastly preferred.
RSA on the other hand does not support forward secrecy, which is a VERY useful feature when it comes to cryptography. Basically, with RSA, the server sends its public key, the client generates a random secret, encrypts it with the public key and sends it back to the server. The server then decrypts it with its private key. The following graphic from the Cloudflare Blog illustrates it well:
While this looks simple and secure, it does have one glaring weakness: If an attacker captures the initial key exchange and later gets the private key in some way, the can decrypt the previously captured traffic.
Cipher suites which support forward secrecy work in a different way. Instead of transmitting the secret over the wire, a key exchange protocol like Diffie-Hellman is used, in which the actual secret to be used is generated through mathematical means. I’ll leave it up to the reader to see how it works exactly. The advantage is that the secret is ephemeral, meaning that it exists only for one session and that’s it. Even with access to the private key and the entire communication, the secret cannot be determined. Furthermore, if the secret key used in one session is compromised, other sessions are still secure.
So what does this all mean?
In simple terms: Don’t use cipher suites that Qualis SSL scan claims to be weak. You have no advantages in doing so.