They're back now.

browsers these days like to call such insecure even where there really is nothing (on the site) to secure

The browser can’t know that. It only knows that the site wants to be secure but hasn’t done it right.

Good to see this resolved in such a timely fashion.

It only knows that the site wants to be secure but hasn’t done it right.

In this case W3C was apparently running HSTS (HTTP Strict Transport Security) that tells clients they should always connect to your server via HTTPS, even when following an HTTP reference.
Note: the benefits are (1) it saves the otherwise necessary 301 of http to https, and (2) defeats attacks such as SSL Stripping, ISP ad injection, etc.

Which, matches with your quoted comment above.

However, what I meant was that browsers increasingly mark http served sites as insecure.

Also, while most sites use a third party host and have little to no choice those running their own server can run both HTTPS and HTTP in parallel as they use separate ports and/or normally redirect from HTTP to HTTPS with a failover from HTTPS to HTTP when required. Not seen too often but is done occasionally where visitor PII input is not required.

Perhaps too many info vectors in one comment? Racing off in all directions? I resemble that remark...

They use a domain validation SSL certificate. This would have been a nice opportunity to move to Let's Encrypt and automate the SSL renewal process.