HTTP requests can be manipulated by third parties (mitigating this is one of the main purposes of HTTPS). What happens if a third party modifies a HTTP response to add a HSTS header? Imagine that this happens to a site which does not support HTTPS. The client now attempts to access the site over HTTPS, which is not supported. Voilà: the third party has completely blocked access to the site (and for quite some time, if it was a long-term HSTS header).
HTTP requests can be manipulated by third parties (mitigating this is one of the main purposes of HTTPS). What happens if a third party modifies a HTTP response to add a HSTS header? Imagine that this happens to a site which does not support HTTPS. The client now attempts to access the site over HTTPS, which is not supported. Voilà: the third party has completely blocked access to the site (and for quite some time, if it was a long-term HSTS header).