The login process itself is not as important, it is a one time thing that with the right settings you can do once a year.
What is important is the authentication cookies that are being sent. As long as they are not encrypted it doesn’t matter at all how much defense you put on the login form itself, and cookies are sent every time any of the URLs of the site are being fetched.
So you either have SSL or you are not secure. There is a middle ground in wordpress in which you will automatically get HTTPS URLs for logged-in users (and the login form) but obviously you still need a certificate.
Why would anyone not use HTTPS when the threat of WiFi is known and the cost of a certificate is zero? because the cost of the “free” certificate is wasting time to configure it and administering it, and while the WiFi threat exist, no one showed it that using WiFi is less secure than having an account on Yahoo, and most people do not connect from an external Wifi to their sites. Personally I use my cellular data even when free WiFi is available.
There are also other benefit of not running a full HTTPS site, especially caching. When you do HTTPS your content can not be cached.
So yes, the industry (google) tries to make it a case of white and black but in reality it is (like most things) gray. Everyone has to asses his own security risks and compare it to the amount of work required to overcome it and make his own decision