While the main risk people see is that an ISP can modify HTTP content (yes they are), we do have other ways that users can be attacked using HTTP, and it can all be prevented using HTTPS. You can check out the Troy Hunt article about it called Why Your Static Website Needs HTTPS (also a video). If you want to know more about how users can be affected when it’s not the users ISP just read below.
We have devices in the wild called Wi-fi Pineapples that can force users devices to connect to it by mimicking real networks the user trusts like a home network while out and walking about. Using this the network can inject anything including malware into any HTTP page. But this is the key, the user must load a webpage (easy as they know they only connected to trusted networks) and the page they open is NOT using HTTPS.
It’s not just the users ISP
It does not always need to be the users ISP, it can be one of the many dozens that a page page can travel using before reaching the user. You see when a webpage is requested it can travel over a lot of different networks before reaching the user, the farther the user is from the origin the more networks it can go over. Here we loaded wikipedia.org and recorded the networks the data is transferred over.
As you see at the top is the network the user is on, in this case the ISP is Shaw Cable, and goes over many devices and networks before reaching the host at text-lb-ulsfo.wikipedia.org. At any point during this any infected device can modify HTTP requests and make changes. It only takes one infected system.