Yes, but if you can midm the http connection you can appear the main site however you like. Including some login format or other way to obtain sensitive data.
...which is completely stupid because they score A+ on SSLlabs [0]. They even have HSTS etc., they really just have to preload it + add a 301 redirect.
I'd be more concerned with the ecommerce sites on the list, like Rebel Sport. Kmart at least does seem to redirect to HTTPS.
[1] http://paymentexpress.com/merchant-ecommerce-pxpay.html