Just the fact http was the default for all websites hosted on WordPress.com is really weird to me. All those websites had all the passwords sent over plaintext.
Note that this is about custom domains hosted on Wordpress.com's infrastructure. Blogs that were hosted as subdomains of wordpress.com have been using SSL since 2014 according to the original announcement. Let's Encrypt allowed them to enable it for custom domains without delivering a truckload of money to a CA.
The original announcement is a bit more precise on this.
That's because Google rewards on page speed, and SSL used to make you lose the game. So if you want your wordpress to be well referenced, it used to be better to have it insecure.
Additionnaly if you published both on HTTP and HTTPS, you were flagged as duplicate content. Fortunately they've reordered the incentives now.
The original announcement is a bit more precise on this.