The unencrypted link they gave in the email is much more open to a man-in-the-middle attack where you are redirected to a card-stealing site (that looks EXACTLY like the QR one) instead of being redirected to the secure site whose URL you quote above. The URL to where you get redirected would be slightly different, and most likely you will not notice the difference, and you wouldn't even know you've been skimmed.

This is pretty basic internet security, and therefore a major security fail on QR's part.