My bank doesn't _and_ there's a redirect to a different domain (rbs.co.uk homepage does to personal.rbs.co.uk, rbs.co.uk/englandandwales or the login link goes to rbsdigital.com). Serve a redirect on the non-HTTPS rbs.co.uk to some other plausible domain with a valid HTTPS certificate, and I probably wouldn't notice.
