The problem with both of those is simply that they aren’t hosted securely. It’s not that the API is poorly designed, it’s just that security policies in the most popular browsers are changing and these services are left behind. To your question, their rational (not mine) for not allowing a SSL connection is simply one of economics. Encryption is a slow, processor intensive operation that can cost a significant amount of money and bandwidth when it’s being done at the sort of scale both of those companies see.
Keep in mind that “API” is a huge concept that goes far beyond the scope of remote services or AJAX. Servers expose data, but many of the frustrations you’ve faced have been due to security policies in the browser, not the server. While it seems unnecessarily obstructive, it’s anything but. Without these strict security protocols, I could easily put up a web page with a provocative domain like “http://www.nakedsexpicturesooohyeahhubbahubba.com” that simply runs a script looking for browser cookies, accesses your bank account, and transfers all funds to my overseas bank.