In case of dispVMs the tor-browser is copied out of the template's /var/cache/tb-binary/.tb/tor-browser each and every time an dispVM instance is started.
This is to make sure there is nothing unique about the profile. Also there was a time when you could choose on first run (which is what you remember), but that functionality came from the whonix team and not the torbrowser team. After it was pointed out that it doesn't always work (it would say safest, but actually not use that setting) the script was retired.
So the way you are using it now: change to safest every time a dispVM starts is they way it is designed to be.
There is a way for you to change that and have your own settings take effect, but that makes your profile different from all the other torbrowser instances out there and might be used for fingerprinting. If you only change the default security level however the risk should be minimal IMHO.
To do that you'd create a normal AppVM instance of whonix-ws-15 and configure the torbrowser in it the way you want. Then you close the torbrowser and qvm-copy ~/.tb/tor-browser to whonix-ws-15. In whonix-ws-15 you will then remove /var/cache/tb-binary/.tb/tor-browser and replace it with the one that is in your ~/QubesIncoming.
Now it will also take effect in your dispVM. When there is a torbrowser update triggered through 'apt upgrade' in the template all your modifications will be lost and you have to repeat the above.