When the /sec-warning page started being delivered to connections with TLS <1.2, calls to the MW API (in my case, using the .net fx 4.5 infrastructure) that expect an XML return started failing in parse because of an unclosed <IMG> tag (which is valid HTML). I would imagine callers expecting json would fail more dramatically. Eventually I was able to peek the incoming HTML, read the comment at the end, and track down how to configure TLS properly.
It might be more helpful to include an HTML comment in the top of the file, directed at API developers, and suggesting they research their HTTP connections and implement the right security level. I'd be more likely to notice that during debugging. But this is a low priority, I'd admit; there probably aren't many in this situation, and in a couple of weeks it will be moot.
See T240497 for my initial misunderstanding on this.