It's not as if it's a hard concept to understand. If your secure website loads any content from an insecure URL, then it's not your website anymore. And yes, this even applies to images - an attacker could replace a "Click here to submit" image with, I don't know, a "For security reasons enter http://evil.example.com/ in your address bar" image or something.
This mini-rant brought to you by being about to place an order online and wondering why there's no padlock symbol despite the site using a https: URL.