Yes, although the transmission being in plaintext makes it even more vulnerable, because if you get to listen to the network where the call center nurses operate, no one needs to crack anything to find out the location of data, its structure and anything else you need to exploit it.
No, it's more like that if I leave the front door open, it would still be more secure if the driveway was lighted up so that any inappropriate visitors would be visible.
[Analogies may be terrible, but lack of encryption is an additional factor making attacks even easier, particularly for the purpose of discovering the attack vectors.]
I'll give you the benefit of a doubt that you are arguing the general case, but I'm talking about this case specifically. If all you need to do to access the data is to just browse to a specific address, it matters not whether you need to put http or https in front of that address. No need to set up any eavesdropping devices en route. Just point your browser to the address and download the data. Transport security will not protect your data if you have no access control.
I think his point is that if you are in a Starbucks and you figure out what's on the server, all the other people with hoodies in the Starbucks now know as well.
These calls were answered by Swedish-speaking people in Thailand.
Their business idea was to handle calls that were placed in inconvenient hours, relative to Swedish business hours.
My best guess is that the Thai ISP this office used filtered all outgoing connections except port 80 and 443.
And then someone decided that the way to implement this securely while still allowing this office to access the data was to put a plain HTTP server on port 443. "Who is ever going to crack that?"
I would guess the server is run by the voip provider in Stockholm, which literally seems to be 1-3 contractors. Reading between the lines of the few articles published about the call center it seems like their business idea is to hire old nurses and not pay them very much.