There's a difference between bowing to practicality / trusting someone, and trusting everyone in the chain that gets the packets from the server to your device.
Attackers might target the link between you and ISP, which isn't secured to an adequate degree. Servers ought to be harder to reach, but lack of hygiene displayed by offering only unauthenticated http downloads in 2015 means that even if people running those servers switched to https we know they are probably incapable of securing them. In a way it is better http stays as a red flag.