Hi Para-Noid,
There is enough wrong with a lot of HTTPS Everywhere domains. Wrong server configurations, missing or wrong security header implementations, mixed content site, log-ins with alerts for all log-in info going over the wire in plain txt form.
And a lot of possible other issues making the ideal situation looking good at first sight, but the real worls situation is often worse as could be (poodle, beast and heartbleed, cerificvation errors, encryption served "from the weak side up" (surveillance can be performed without much of a hassle). So a lot of good will going hand in hand with a lot of incompetence and situations where money comes before security. Now you understand that malvertisers are a problem on a normal http website, but when they come encrypten on a https website in the present situation the detection problem can outgrow the added protocol security.
I perform webscans as volunteer website analyst so I know what I am talking about with thousands of examples scanned.
The Browser JSGuard extention in Chrome and SaferChromeSecurity extensions will give you some good insights in the overal https site insecurities that exist,
polonus