I meant to put an example in my report. Here's one:
Using http links in the emails wouldn't fix the problem entirely, but it would fix it for one common way of accessing the site. I notice that google search links also report https, which means https links are posted on other web sites. That entry point would be harder to fix.
You could automatically rewrite all http resources to remove the protocol. That would completely fix the problem, but there are some (very few) sites that don't support https, as you say.