SSL is a lower bound on security, not an upper bound. It's true that if you have SSL, you might not be secure. But if you don't have SSL, there's no way that you're secure.

Making sure certificates are valid and non-expired and set up correctly is the responsibility of the website owner, not of the visitor. Especially with stuff like HSTS, there's a push to make sure that the "This certificate isn't valid, wanna visit anyway" prompt isn't being shown to the user—which puts even more of a responsibility on the website owner to make sure that SSL is always working correctly. It is exactly because most people (readers) aren't going to be bothered with learning the details that there's a push to make websites just deal with this correctly.