Here's the thing: setting up a secure website is a pain. Even for the technically minded folks who don't mind getting hip-deep into arcane command line tools, configuring and enabling the features that ensure encrypted communication is a complicated process that involves requesting cryptographic certificates, installing them, and making sure that they remain current. Those certificates have to be backed by a certificate authority (CA), which provides a chain of trust—essentially proving that a site is who it purports to be. And CAs generally charge for that service. More than a little. So for a lot of website administrators don't bother setting up a secure site if it's not absolutely necessary, such as for ecommerce.