HTTP probably helps admins of large networks cache downloads for their 5000 computers that are all updating at once (if they're not running Apple's update cache server)
This is also how Appleās cache server works, otherwise it would need to break the TLS connection, and that is not an improvement.
I have personally looked at the accompanying connections and it looks like Apple sends hashes over a proper TLS connection. Updates are also signed as another layer of security.