Searching for non-SSL references in the code base is a smart idea and you should probably report any you find on hackerone.com (the place to disclose WordPress vulnerabilities).
I also suggest you review the WordPress Security page on wordpress.org.
To answer your question, I would say WordPress has been audited extensively for various security vulnerabilities by both the internal WordPress team and countless number of external security experts as evidenced by the authors of reports on Hackerone. You can see a list of security updates here. I reviewed the most recent security updates (going back to the 4.7 branch, January of 2017) and found the following references to SSL and HTTPS:
- Use safe redirects when redirecting the login page if SSL is forced
- Insufficient redirect validation in the HTTP class
It’s very possible that no, non-HTTPS scans have been conducted or acted on but that is probably intentional as, although the majority of public sites are on HTTPS, there may still be millions that aren’t and forcing SSL where it isn’t supported would break people’s sites. Also, many, possibly most, developers don’t use SSL on their local machines. Forcing SSL in this situation (a local development machine) would also cause issues for developers working on their local machines.
Perhaps the most revealing search, however, is on the WordPress core on https://core.trac.wordpress.org/search?q=ssl There you can see lots of tickets and diffs addressing insecure schemes. Still, however, I have been unable to find one that explicitly addresses the issue of non-HTTPS schemes.
So, I have not been able to find evidence of a specific audit of non-HTTPS URLs but I have found evidence of insecure redirects being addressed in security updates.
On a side note, I personally would try to avoid calling HTTP (no S) insecure. It is simply a protocol and actually still has a purpose in this world – less every day but it is still used and fit for purpose.