A few sites I run into once in a while have the following bad setup, which HTTPS-only flags (because it's actually unsafe) but looks normal to most people:
You will also see the mirror image mistake (www.example.com is canonical, but the redirects go from example.com only on HTTP) at similar rates.
This is all because Tim chose not to rely on SRV records to make his toy hypermedia system work and decades later we're still paying for this (among others) mistake.
1. http://www.example.com/ exists and redirects to http://example.com/
2. http://example.com/ also exists and redirects to https://example.com/
3a https://example.com/ works fine but
3b https://www.example.com/ does not exist
4. External links go to http://www.example.com/stuff/goes/here
You will also see the mirror image mistake (www.example.com is canonical, but the redirects go from example.com only on HTTP) at similar rates.
This is all because Tim chose not to rely on SRV records to make his toy hypermedia system work and decades later we're still paying for this (among others) mistake.