I hear this all the time and I'm not sure if people saying that actually tried performing a MitM attack. First of all, a meaningful attack of this kind would occur when some data is uploaded - if it's just uploaded, you can basically do stupid pranks like replacing words and graphics. But more importantly, in order to actually perform a MitM attack, you need to have access to some parts of the infrastructure of the victim that you normally have not. For example, if you can perform the MitM attack by hijacking DNS (on a local machine or local network level), you can perform much worse attacks than MiTM, and HTTPS cannot stop you. In such cases HSTS can be helpful, although in itself is not without issues.
Or, a local ISP or the coffee shop you are visiting has an appliance that injects ads into http web sites. And those ads come from an ad network, that doesn't do a good job of policing malware that gets into the ad's javascript. (Malware-laced ad networks is actually the #1 reason I use an ad blocker, since that is the only times I've ever got computer viruses).
What ISPs are doing in the USA is beyond me - how on Earth people can tolerate inserting or messing with the traffic in similar ways?
As for coffee shops and other public access points, people really need to understand the consequences of what are doing when connecting to any of these. Using HSTS is just an antidote to one particular problem. But when you connect to a hostile AP, many worse things can happen.
There is no absolute protection against compromise, but it would be polite for every web site to implement https and hsts to at least make it harder for visitors to be compromised. It costs them very little.
Maybe the analogy is soap in the bathroom at a coffee shop - most customers will not get cholera if the soap is missing, but is it moral for the shop owners to take the risk when the cost is so low and the downside is so high?
Even though there are buggy WPA2 implementations, in general it's pretty difficult to get in unless a trivial passphrase is used in WPA2-Personal. With WPA2-Enterprise, it depends on the method used, but breaking properly implemented EAP-TLS is really difficult. Your best bet is to look for bugs in routers etc.
But this basically proves my point: if the attacker can get into your network, messing with the output from Paul Graham's HTTP server should be the least of your worries.