I would not expect that this will get fixed/handled anytime soon.
- It's not really a bug, it's a feature-request.
- Although I also would really like to see it on the ASA (and every device using HTTPS), there is no real threat with not having that feature. It is important when a device is reachable through HTTPS and HTTP because then a MitM-atack could circumvent your security. But on the ASA, there are no services that can be reached in cleartext. From the public there are SSL/TLS-VPNs which are not available through HTTP and from the inside (your trusted network) there is the ASDM that also won't run without SSL/TLS.
- Also if HSTS would be available on the ASA, the client also has to honor it. For browser-based access this is widely available, but I don't think that AnyConnect and Java (for ASDM) does it.
While thinking about it, there could be a possible workaround:
If you have a publicly reachable webserver that is using the same domain as the ASA, you can configure that for HSTS. This domain then can be entered to the HSTS preload list. As mentioned, I don't think that it will make any difference for AnyConnect and ASDM, but your clientless VPN-users will start using HTTPS also if they don't specify it in the browser.
