HTTPS is a serious issue because if there is not HTTPS, your data transmitted will not be encrypted. Also, you should check the shopping cart's SSL Certificate (a digitial certificate that forms HTTPS) whether it is valid and the authority that issued them is also valid. This is because one of the issuer Comodo just got breached 2 months back and hundreds of fake SSL certificate being issued. Hence, HTTPS also need to see the validity. Microsoft already updated the certificate status, so if you view those certs, it should appear revoked or invalid.

Yah, there are many types of Web Application Vulnerabilities around. If your site is hit with SQL injection, it can be as bad as entire DB take over. Gotta put a very high concern into web vulnerabilities.