Point #3 always brings me back to MITM, and how there's almost no way for a technically-illiterate user to avoid getting tricked into using an HTTP-only site. Nobody ever notices sslstrip. And while many people might counter with 'I don't care about that use case, it's unlikely', they basically assume that nobody will ever mitm their connection, which implies that they don't need secure connections. I wonder how often people actually think about these contradictions.
That's assuming a lot. Here are the reasons HSTS will not protect people:
1. Your browser has to support it. IE still does not support it; it is 'expected' in IE 12. Also vulnerable are people with Mac OS older than 10.9, Chrome older than 4.0.211, and Opera older than 12. Most people I know (non-techies) keep their browsers for the life of their computing device. So basically that's a gigantic pool of users who do not have HSTS support.
2. When they do finally get support, websites have to enable it explicitly. Here[1] is a sample graph of how few sites actually enabled it at the end of last year (about 2 out of every 1000 of the top 1mil sites, or 0.001905%)
3. The 'max-age' is often not set very long, meaning there's increase chance for a new attack to succeed.
Definitely not a perfect solution -- all your points are definitely gaps in Strict Transport Security.
However, there's still a lot of value to adding HSTS. As for #1 and #2 and #3, HSTS is a standard that can and will be more broadly supported (and better implemented) over time probably more quickly than HTTP2 will be supported on most servers.
Personally, I'm most concerned about #4. This should be something the IETF should be working on (if they aren't already).
At the end of the day, if you've already mastered transport encryption, you may as well go forward with HSTS as well.
