My traditional answer involved the cost of SSL certificates and the perceived difficulty of provisioning & deploying them. But LetsEncrypt has eliminated a lot of those concerns, and once they get wildcard certs that's going to make things even easier.
But even with LetsEncrypt on the table, I have clients who can't force or even reliably enable HTTPS on their sites. The issue is third-parties, specifically advertisers and SaaS platforms.
Clients fall in love with services for things like forms and polls or fancy animated charts, and sometimes the big draw is price more than anything. But not all of these services are profitable or even savvy enough to support HTTPS. So, clients end up with a choice between delaying HTTPS adoption for a little longer or taking on the expense of choosing another service and migrating years of existing third-party integrations to the new platform.
Advertisers make it worse, especially when you're dealing with remnant ads which could be pretty much anything from anyone. Not all these ads serve their creative from HTTPS-enabled servers, even if the ad service itself does. So you can end up with an HTTPS page trying to load HTTP ad creative and having mixed content issues. If the browser blocks that mixed content, it could affect page layout and other scripts running on the page that expect it to be there. All it takes is for someone's boss to pull up the company's site once and get a broken layout. Then, you can expect the order to come down to "fix the site" by disabling HTTPS.