That's technically true but irrelevant: on the web, SSL came well after the initial wave of adoption and U.S. companies were restricted by law[1] from exporting strong encryption to people outside of the United States. It took awhile to get programs updated and for years it was common to see separate versions (or even third-party patch trees) on download pages.
All of that meant that someone launching a service couldn't assume that their users’ software supported encryption at all or securely for years. Coupled with the previously mentioned horrible user experience and cost of certificates, that really killed the idea since the password experience was both easier and far more familiar.
