Thanks for the detailed information, I'm sure many will find it useful.
If you want the order to be exactly what you want just use -ALL:ECDHE+AES256:ECDHE+AES128... as you suggest (that's -ALL:...). This avoids the need remove things with !.
I'm rather wary of SSLlabs myself and tend to double-check everything around ciphers using the
openssl s_client
functionality. I had an Apache server that SSLlabs kept giving a C and claimed was supporting EXPORT, DES and others when I knew I'd configured it not to. OpenSSL proved I was right and SSLlabs were not.