I'm definitely with you on this aspect, however, it seems as though the "learning curve" for this kind of issue hasn't caught up with the internet-using public - people base their decision on whether or not to enter their social security information, credit card information, etc upon whether or not they trust the content provider (and upon whether or not they are interested in the product or service being offered in exchange for their information)

Notifying the content provider does presume that the content provider either knows and has chosen not to implement a secure form (in which case a rude reply might be expected) or does not understand how to implement a secure form (which, again, may result in a rude reply or being ignored) - I see this as an ethical question in the sense that there will invariably be some users who choose to make use of the form, and notifying a webmaster who was unfamiliar with securing the forms does offer the possibility that some action will be taken to correct the issue.