This is a well known bug:
- grub2-mkconfig creates boot choices in wrong order (CentOS Bug 0007651)
- grub2-mkconfig wrong sorting (RHEL Bug 1124074)
- grub2 wrong sorting (Bug 678840 - fixed)
To determine how a kernel package updates grub.cfg one can display the scripts via:
$ yum whatprovides /boot/vmlinuz-3.10.0-123.9.3.el7.x86_64
kernel-3.10.0-123.9.3.el7.x86_64 : The Linux kernel
[..]
$ rpm -q --scripts kernel-3.10.0-123.9.3.el7.x86_64
This shows that /usr/sbin/new-kernel-pkg is called - which in turn calls grubby.