Wordpress (Automattic) has announced that it sill step up work on implementing SSL, with the hope that all blogs will eventually use it (https) by the end of 2017, post here.
Since SSL works by domain name, that means accounts with multiple domains, with an owner and subdomains that actually have their own URLs, would have to be set up in single domains as subdirectories. This would be a lot of work for a hosting provider like Bluehost and its customers to implement smoothly.
That's also the reason why Google can offer https now on blogs addressable only under "blogspot" but not to custom domains equated to blogs. People tell me the latter can be done, but it will be a lot of work.
With Trump coming to the Whitehouse, many service providers are on edge now about "national security".
I wonder why Trend Micro has Automattic's rating as gray.