95% of HTTPS servers are vulnerable to MITM attacks?

The post Different Encryption Techniques in Java by @dhiraj825 opened with:

95% of HTTPS servers are vulnerable to trivial ( Man In the Middle Attack ) attacks.

I didn't want to hijack the whole post discussing this irrelevant line, so here's a separate topic about it.

I Googled this and it's indeed widely reported, but many of the posts are lacking in technical detail. What I think it comes down to is only 5% of sites in 2016ish sending HTTP Strict Transport Security headers.

If that's the case, do you feel it's fair to make the claim that

• 1) Those 5% of sites are safe (from MITM attack), and
• 2) The other 95% of sites are unsafe

The way I understand HSTS, the first request is still insecure (ignoring addons and browser features that weren't standard in 2016). And an active MITM could strip the headers and keep the connection insecure. The window of opportunity is smaller, but it's there.

So, HSTS is great. But in my understanding, with or without HSTS, there's a http request happening sometime that can be hijacked. Therefore I claim that either all HTTPS sites are secure, or none are.

Am I wrong?