I really appreciated this new post from Troy Hunt about the benefits of HTTPS for static sites:
Basically, it runs through a number of alarming content-injection attacks that can be pulled off against HTTP static sites that have no login or private data. (Sadly, this list isn’t even comprehensive!)
Feel free to share this if anyone asks about what the point of HTTPS is for static sites; it seems like a great exposition. (There’s also a detailed video that I haven’t watched that apparently demonstrates the content-injection attacks.)