I suspect that the very biggest reason that the Times has not gotten there yet is revealed in this section:

The Challenges

To successfully move to HTTPS, all requests to page assets need to be made over a secure channel. It’s a daunting challenge, and there are a lot of moving parts. We have to consider resources that are currently being loaded from insecure domains — everything from JavaScript to advertisement assets.

If the assets for an advertisement aren’t able to serve over an HTTPS channel, the advertisement will probably not display on the page, directly affecting revenue. It can be difficult to determine if each advertisement will load over HTTPS. Considering the importance of advertisements, this is very likely to be a significant hurdle to many media organizations’ implementation of HTTPS. While some advertising platforms, including Google’s DoubleClick for Publishers (DFP), do support HTTPS loading, there are still a number of ad networks that may not be HTTPS-compatible.

That particular NY Times article has references to (at minimum) the following third-party resources:
Dynamic Yield, Google Analytics, New Relic, Web Trends, Adobe Typekit, Scorecard Research, Revsci, Chartbeat.

Mike, can you tell us how difficult it was for you guys to go HTTPS? This very TechDirt article is pulling even more third party resources: Bizo, ChartBeat, DoubleClick, Facebook Connect, Flattr, Google Analytics, Google+ Platform, Gravatar, Quantcast, Reddit, Scorecard Research, Twitter Button, Akamai (not sure that counts), Google APIs, Google Tag Services. And possibly others I cannot see.

Just how much of a challenge is it?