Even if they knew the site was static, "not secure" would still be valid. An ISP or malicious wifi network may be recording their browsing history, downsampling images, injecting or replacing ads, replacing executables with backdoored versions, adding fake login forms or popups to get the user to give a password of theirs, etc.