> it should be super easy to make a site that is secure.

A "site" that's a static webpage? Sure.

A full application that just happens to use HTTP as one of its interfaces? More difficult than you'd think.