If I create, for example, a GRE tunnel and add a passphrase to each side of it, RouterOS will dynamically create an IPSec tunnel between my two endpoints.
It will use the default proposal, which allows me to set the PFS DH Group, but not the Phase 1 DH Group. It always uses Group 2 -- which has been considered insecure for years.

Is there a way that I am not aware of to modify the default Phase 1 settings for dynamic IPSec tunnels?

This seems live a very serious and important issue.

It is not really a serious and important issue, because it can only be exploited by someone who can be a true man-in-the-middle between your endpoints, which normally is not realistic for an outside attacker.
However, you can always do this:
- configure GRE with passphrase as you did
- look in IPsec->Peers and IPsec->Policies what it created and write it down
- remove the IPsec passphrase from the GRE tunnel
- manually create the same Peer and Policy as you have seen before (and have now disappeared), changing what you want.

The result will be the same except that it is more work to configure. See the option in GRE tunnel as a quick configure solution for the normal case.

- look in IPsec->Peers and IPsec->Policies what it created and write it down
- remove the IPsec passphrase from the GRE tunnel
- manually create the same Peer and Policy as you have seen before (and have now disappeared), changing what you want.

There's a bit simple way to proceed. Double-click on you automatically-generated peer, then use "Copy" button to create a clone of that peer that you can modify as you wish. Once done, remove the passphrase from your GRE tunnel configuration.

That works only in winbox, not in webfig.