Security researcher Scott Helme and encryption expert Professor Alan Woodward were both adamant that this was a serious failing, not least because updating to support the technology would be straightforward,
I've often found that you'll see people saying "it should be done, and is straightforward to do" only to later find they have no understanding of either the systems they're referring to, nor the operational requirements of the organisation operating those systems.
It's straightforward to update a low-traffic VPS to do almost anything, it's almost never straightforward to "just" update anything at scale, particularly where there are strong security considerations to be made infra-structure wise.
As others have noted, any plans to do so are probably stuck deep in beauracracy at the moment.
Lack of HSTS isn't all that big a deal in the scheme of things. Especially when as late as last year, certain banks were still using plain old HTTP to load assets for their banking apps: https://www.bentasker.co.uk/blog/security/315-the-state-of-mobile-banking
Funnily enough, that bank was the only I'd tested that had bothered to configure HSTS on their "main" domain, and then they went and did something like that. They're also the only one who scored an A in the Reg's tests... go figure
I think calling the lack of HSTS a "serious" failing is one hell of a stretch. It's a failing, but there are far bigger issues than need to be addressed first. Just my 2 cents
Biting the hand that feeds IT
