That article was kinda... fluffy and didn't really get to any useful conclusions about why things should be done or not, but that's because I think there is a lack of understanding about what the certificate is doing and why.
First up, why do we care about encryption? Especially for sites that you'd think wouldn't need it. Well, his point about the USA surveillance programs is valid - but with a caveat... if something is public information (like, say, business hours) why would it matter if you encrypt it at all or not?
There is the argument that the government has no need to see what you're looking at - but, well, your ISP knows, or at least, someone knows because you need to get DNS records from somewhere so which *site* you're going to will be findable in some fashion. (We can talk about DNS-over-HTTPS some other time, and the host of issues *that* has.)
But there are a couple of things we don't talk about: passive listeners and MITMs.
So, how many sites do you have a login for? How many of those - like small forums, blogs, etc. - previously weren't using HTTPS? That would mean that, in most cases, you were sending your username/password over the internet in plain text, and that little data packet was travelling a long way between your computer and the other server, through several networks. It wouldn't have been hard for someone to add a packet sniffer *somewhere in the way* and for your username/password to be sniffed that way. And of course, the world's gone mobile so you're not just sending data through wires where you'd need a physical intercept, you're sending it in the air where *anyone* could have read it.
(You might not think this is a real thing to worry about but consider if you were someone with a legitimate reason to have covert communications, this is one of those considerations. I don't mean 'spies' but think about people trying to escape from an abuser, reaching out to people via forums. This is not a hypothetical situation either.)
HTTPS stops all that by encrypting everything that gets sent between your computer and the destination server. While parts of the network still get to see the start and end, everything in the middle is wrapped up in sealed boxes, meaning it's much much more difficult for people to intercept it.
And that brings me to the MITM, the man in the middle attack. If the traffic isn't encrypted, it's entirely possible to change the content in transit. A relatively benign example might be a proxy service that receives a page, injects an ad and sends it onwards. But there are documented cases of much more insidious things - imagine if you were using a messaging system that wasn't secure, again in the abuser scenario, where the abuser could intercept the communications. Consider someone trying to get away from their abuser, arranging a meet, only for the time, date and address of the meet to change - without the abuse victim knowing, because the content was tampered with in transit. (This is, again, not a hypothetical situation. Sadly.)
HTTPS is a line of defence against both of these, and something that the article didn't address - which to me seemed like a huge problem when explaining that 'so many sites use HTTPS now', well, here's the real reason why.
His argument for not using LE is mostly that "well some people don't trust LE". This is true, some browsers don't. But the same browsers don't tend to trust the paid vendors any better. A quick perusal of some SSL vendors indicates that even if you pay for their certificates, it doesn't guarantee that it'll work:
* RapidSSL - "support for more than 99% of browsers and most mobile device browsers"
* Gandi - "99% browser recognition"
* Comodo - "Trusted by all popular browsers with 99.9% Ubiquity"
* DigiCert - "Compatible with all major browsers"
They're not saying "all browsers" or even "all supported browsers", they're saying high percentages and things that are roughly equivalent to Let's Encrypt. So that's a fiction.
And then there's the matter of lifespan; LE certs are only ever issued for 90 days at a time. Should the cert keys be leaked, that's the maximum window of exposure, unlike SSL where you can buy 10 year certs. This of course also means that not only might you go up to 10 years without renewal, come the end of that 10 years you might forget you need to do it, while LE is intended to be fully automated.
LE even offers wildcards now, which is very convenient if you're running a service where you give users their own subdomain (e.g. user.domain.com) meaning that for most uses you're good.
Where it does fall down is that it's only validating against the domain. You don't have any proof that the person running the domain is the entity you think you're dealing with. For most sites this is of course not an issue because the (vast) majority of sites aren't doing anything where you'd care that the entity on the other end of the connection is *exactly* who they claim to be. Most of the time the domain + DNS is good enough, but when it comes to something like your bank, you'd absolutely want to care that they are who they claim to be.
And this is where the traditional SSL vendors come in with their OV and EV certificates. These do additional checks on the person(s) applying for a certificate, proving that the entity applying is indeed who it claims to be. If it's for a business, it's proof that the business exists and exists at the address in question, and records will be required to substantiate this. This is all stuff most users simply don't need - and even smaller businesses that are taking money don't *really* need this (because they're using services like Stripe and PayPal that will have this sorted out for them).
----
Anyway. Long story short: unless your site is literally static HTML and you have no login system and you don't care if people misrepresent your content, you probably want HTTPS, and free is almost certainly good enough.
Free is possibly not good enough if a) you're doing something LE doesn't support (multi-domain, or for whatever reason you can't validate the domain over DNS), or b) you're an organisation where user impersonation *matters* and has consequences, and by which I mean 'failure to get this right doesn't affect that one person who buys a thing on your website once, but affects millions of people with life altering consequences.
Anything else is somewhere on that spectrum and how much trust you want - not that users often check the extended cert types anyway.
