It's insecure because someone on path (or actually off-path but harder) could replace the contents of your website with whatever they want, including taking payments "on your behalf" and then just pocketing them. The main original point of HTTPS, and why I assume it does not use starttls or similar, is so people in the late 1990s and early 2000s could figure out what websites they were allowed to put their credit card numbers into.