To be clearer, my point was that HN not using HTTPS doesn't seem like a reason not to require sites to use HTTPS, let alone introducing any security regulations at all.

To be clear myself, the point is that there are bigger fish to fry. Mandating one practice when we can't even implement another smells like issue of the week.

All standards become obsolete eventually. Mandating them by law is a sure road to legacy legal cruft hurting the legitimate aims it was put in place to help.