I'm fully aware of the insecurity of this approach, but have a justified need for Basic http authentication for a WCF hosted SOAP webservice. Is there really no way to make this work? Every method I've found of adding basic auth requires transport (https) security.

I think you're looking for "TransportCredentialOnly". See this MSDN article.

The binding would then look like this:

<bindings>
    <basicHttpBinding>
        <binding name="NewBinding">
            <security mode="TransportCredentialOnly">
                <transport clientCredentialType="Basic" />
            </security>
        </binding>
    </basicHttpBinding>
</bindings>

The above code snippet was taken from this blog article on the topic.