It's both the AnyConnect client with it's build-in libraries and the operating-system that needs to support strong ciphers. But if you use an actual AnyConnect and one of the more modern OS, you can strengthen the TLS-security. Here are my settings that are working fine for my clients:
ssl server-version tlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256"
ssl cipher dtlsv1 custom "DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA"
ssl dh-group group14
ssl ecdh-group group19
Leaving DTLS enabled is a trade-off between security and usability. But having it enabled, reduces the security to a TLS 1.1 level. But if compared to the rest of the network, this is often still the most secure link in the organization.