So...
1 - there are many Facebooks - desktop, mobile (few versions), 0 (mobile and text only), iOS app, Android app and many other. So why this is important - some of them strip UTM tagging, other pass them and 3rd sent direct traffic. Example - mobile apps sent direct traffic - there isn't referral. From mobile/desktop web - due stripping HTTPS to HTTP referral is also stripping so you get direct traffic. That's why you need to start working little bit with your HTTP web log files and analyses them. There you can find pattern.
Also i heard (but i'm not tested this) that Facebook uses canonical URL of page. So when you make ads Facebook bot come and crawl page content, extracting canonical and later ignore your UTM parameters. As i said - i only heard about this so i can't confirm or deny this. That's why you need to implement "facebook tracking pixel".
That's why some of campaigns there are passed over URL shorteners as - bit.ly, ow.ly or other. Because you can check what's passed to shortener before come to your site. I won't recommend this because one more redirector is killing mobile performance with between 300-600ms (or over!) delay.
2. Yes. Since your site is HTTP this strip referrers from HTTPS. Clicks from desktop apps are direct and there isn't referrer. Also please note that there is new HTML tag about this:
https://moz.com/blog/meta-referrer-tag
and there you can be restricted also what kind of information will be shared with you from browser.