Without HTTPS the content that the user receives can be inspected and modified in transit. The site can effectively be hijacked without the site itself having changed. A picture might be substituted, or a plain text home page might be modified to run script that delivers malware.