Re: I continue to be surprised
1) Not everyone is aware of https or is skilled at managing it. I am in the midst of a conversation with a charity that I volunteer for wherein I am trying to get them to convert their login page to https, but the site provider is unable, for whatever reason, to forward the http connection (the site connects via https just fine, but if you connect via http, the connection stays insecure). It seems like a very straightforward process to me, but the situation has not changed for over a month. The stopgap I'm getting the charity to employ is to update their documents and newsletters to at least use https links instead of http.
2) Certificate management and upkeep is a tremendous ball-ache. I don't care how simple you think it is. If I didn't already know what the process entails, this page would be complete fucking gobbledegook. While a Web developer setting up a site should arguably understand this process, a great many do not, including developers coding for highly business critical Web applications (go on, ask me how I know).
While I would not want to justify failing to use https, it's one more damn thing to do (and maintain--you have to ensure that you keep up your certs, which are apparently now being set to expire 30 days before they were issued in the name of security [yes, that's sarcasm, do keep up]), and it's effort which, in many cases, doesn't have an obvious positive yield for the site maintainer. Now, conversely, if I were running a Bitcoin exchange, I would definitely want https to be the default setting, if for no other reason than wanting to ensure that the Dunning-Krugerrands wind up in my pocket and not someone else's when I decide to fake my death and abscond to a foreign country with the proceeds of my clients' ill-placed trust. If I were the client of such an exchange, I would definitely pay close attention to whether https is being used as well, but I'm not sure what the interface for such a thing looks like, so maybe it's not obvious.