Exposing your database to connections from the open internet is already a pretty bad signal, SSL or not.

Probably are missing from the study all the postgresql servers with sensible security around them, that may or not be using SSL, but in a lot of cases it may not matter.