Hipkiss already gave the correct answer, so I want to add another piece to always keep in mind: HTTPS is IT security. Most server breaches today are not caused by 0-day attacks, but because people fail to configure their servers properly. Setting up security is difficult. Because it is difficult and tedious and either requires expensive specialists or people to think hard and do things they don't know and don't understand, many website owners do not want to add TLS to their website. It costs a lot of money (man-hours) and they have no guarantee that what they did works properly. Why invest if the current setup works? Why add additional factors which might disrupt the system and cause down-time? No one wants that. So, people don't upgrade to TLS.