I see your point, but it's at least partly a feedback loop. If software is going to protect users from themselves, it has to be opinionated and not allow the user to shoot themselves in the foot. This approach is not popular with users.
A good example is the backlash browser vendors get when they try to make TLS errors fatal (without a "continue anyway" button). Users will cry bloody murder until the option to bypass the warning screen is re-added, at which point everyone returns to clicking through all warnings and we're back at "you need to know what you're doing to have a secure machine".
But the users screaming bloody murder are right! (Or rather, they are exaggerating, but they are in essence right.) Most TLS errors are not the result of someone trying to spy on you; they are the result of someone letting the certificate expire or something equally silly.
Furthermore, if all the people advocating HTTPS everywhere get their wish, then the people screaming bloody murder will become even more right! If I'm trying to load the HN homepage, and heaven forfend I get a security error, you better believe I'll ignore it, because even in the unlikely case that someone is spying on me, I can't think of how someone knowing which HN threads I read is going to hurt me in some way.
I'm not sure why you've been downvoted, I think you're quite right. A warning that's shown too often when there's no real threat gets ignored. Making the warnings bigger and scarier is just crying wolf ever louder, and it doesn't work.
I don't think the solution is to avoid HTTPS, however. I think sysadmins need monitoring and automation tools so that expired certificates can be an exceedingly rare event. Letsencrypt has taken a big step towards this by making a fully automated process to get a certificate.
> I think sysadmins need monitoring and automation tools so that expired certificates can be an exceedingly rare event. Letsencrypt has taken a big step towards this by making a fully automated process to get a certificate.
A good example is the backlash browser vendors get when they try to make TLS errors fatal (without a "continue anyway" button). Users will cry bloody murder until the option to bypass the warning screen is re-added, at which point everyone returns to clicking through all warnings and we're back at "you need to know what you're doing to have a secure machine".