You said, "most of the discussed blog deals with bad (tm) companies who don't have https"
Here's a list of what was covered in the blog post:
1. Tesco claiming they're "storing passwords in a secure way" when they're able to put them in plaintext "into a password reminder email"
2. British Gas claiming they'd "lose [their] security certificate" if they allowed people to paste in passwords from password managers...
3. Betfair claiming that it's great security to allow anyone anywhere in the world to reset anyone else's password, merely by knowing their email and date of birth... when pointed out that these are both commonly shared pieces of information, the company then claimed it's a breach of terms to share them... It's so ridiculous for a company to claim to ban everyone from ever celebrating birthdays or ever emailing anyone ever again (you know, for "security" reasons), that Troy orated for a while on this... and how later on he was actually thanked by a guy in Betfair security for sparking the public shaming that finally got through to management.
4. Some other unnamed bank who also could not get things fixed until they were publicly shamed.
5. NatWest's home page is insecure. Which means it can be attacked, and changed (man-in-the-middle), to change the login link.... (which of course the login page is secure, but if you can't trust the link to it, how can you know you went to the right place when navigating there, maybe you went to a phishing site login instead...) This is the whole HTTP vs HTTPS debate, which Troy discourses on for some time.
6. Santander UK claiming nobody should use password managers for "security reasons"...
7. Someone claiming it's wrong to shame companies (like Santander), because all it accomplishes is harassing some "poor clueless customer service rep"...
8. Others making the same claim when T-Mobile Austria defended storing passwords in plain text (and they claimed their security is "amazingly good")... Troy then sermonizes for quite a while how these social media accounts are the public face representing the company, and how they should act...
9. Medibank also disallows pasting passwords from password managers... but fairly quickly fixes it (as an example of good response from customer service)
10. TV Licensing site not using HTTPS even when collecting sensitive data from millions of customers! They claim it's "safe... despite messages from some browsers" saying it's not.
11. Two people shaming the shaming of TV Licensing again... but it works anyway, the site is fixed.
12. Someone saying they are "fed up [with] social media managers/comms teams taking control and making erroneous statements"... Take responsibility for what you do, and fix it, is the conclusion!
Any way you slice it, whether by number of incidents named, or by number of companies mentioned, or by number of social media posts shown, or by literal space taken, HTTPS doesn't look like the majority of it to me... (just #5 and #10 in my list)