How is this considered even remotely good advice? I agree that you should definitely do all of the other things advocated by the author, but why not use HTTPS everywhere? Because of the risk of engendering a false belief that your site is secure?

This is a rant based on a flawed principle; that if you can't do it all, don't do any of it. If you don't use HTTPS, you will open yourself to many additional attack vectors. Why would any security professional give this advice? It makes no sense at all.