Secure how?

Obtaining a public certificate from a well-known registrar requires Internet connectivity for the ACME protocol, and that's at odds with the other best-security-practice of isolating internal systems like NAS devices well away from general Internet connectivity.

The problem is even worse for home routers. They need Internet connectivity to have a chance of obtaining a certificate, but since they provide that connectivity to a network they can't obtain the certificate until they're set up. But setup generally happens via a web browser and captive portal, so we're right in the middle of a bootstrapping problem.

https/TLS everywhere on the public Internet is a great thing, but it's not a reasonable expectation for private networks with private devices.

There are lots of perfectly good (well, suited to their purpose, anyway) appliances (as in: pieces of hardware that cost money) out there that have web interfaces that don't speak 100% valid https. In part, this is because achieving fully-valid https on a machine on a local network, without a static domain name, with a machine & network config that you (the vendor) don't fully control, potentially without an Internet connection, and without installing root certs on client devices is, to put it mildly, inconvenient, and used to be even worse.

Getting rid of http or insecure-https support completely would render either them, or your browser, useless, and require that one or the other be replaced.