I agree. This could happen in any web service, SOAP or otherwise, that pushes back the endpoint URLs as part of a capability discovery mechanism.

And even if this endpoint (defined in the WSDL) was changed to to https there is nothing stopping you from overriding it and pointing it to any other (possibly unsecure) URL.

I thought the exact same thing as soon as I saw the URLs. This could happen with ANY web service that returns URLs, even a REST one with a more HATEOAS-style approach.