Entirely agree. There was a nascent guideline for users: Check the "padlock". Check that the protocol is https.

Designers then started breaking this. To avoid an extra https serve, particularly on a front page or popular page. For the sake of "Design", including putting a sign in form on the front page. Etc.

At least I knew to, if at all possible, force the site to serve up an https version of the sign on page. Most users have no clue about that. And the means for accomplishing this vary. Sometimes, you can do it by replacing "http" with "https" and resubmitting. Sometimes by submitting a blank form. Sometimes you have to populate the form with garbage in order to get by initial checks; the "error" page that comes back when the garbage credentials aren't found is served as https, if you're lucky.

Users were just learning to secure their transactions, when those who presumably had interest in the users' doing so, broke the paradigm, and broke it hard.

I'm at the end of my patience with such fools, who consider themselves professionals.

I'll also mention the idiots who populate their https pages with http references to components. Once you pull in one unencrypted piece, you've opened the door to exploitation. Get a f*cking clue.