So as the title suggests the "www" version of my website shows as not secure, despite having an SSL. The non-www version is secure. Any idea of why this might happen?
If your SSL certificate covers both www and non-www, it sounds like you're loading some HTTP assets on the www-version of your website.
But the real question is, why have both www and non-www accessible? I would highly suggest to set up a 301 redirect to your "primary".
Some here might be able to give a better answer than me, but it's hard to say directly what's wrong without seeing the website - feel free to drop me a PM with the URL and I might be able to help you in the right direction.
Robin is correct. Your site should be 301 redirecting to one single canonical version. In your case it sounds like the non-www. This isn't negotiable unless you want Technical SEO problems with Google.
The other thing, too, that Robin points out, is your SSL cert should be covering both versions of the site regardless if only one is public facing.
I agree as well, there's two reasons why the www version isn't secure. Your certificate doesn't cover it (it probably does assuming you're using Let's Encrypt and cPanel or WHM). That would mean that somewhere you're loading resources from a non-HTTPS domain (either your own or someone else's). Sounds like you have something fishy going on because I'd assume the www and non-www versions of your site are the same, in which case they should both have the same problem, but apparently the non-www is secure.
I'd recommend solving the problems in the same order this post talks about them. That'll help you narrow down the problem and possibly make it a non-issue.
Thank you both for replying. I have a 301 redirect set in place, but afaik the certificate is checked before the browser gets the chance to redirect to the preferred version.
I have also solved the issue. It was a problem with Cloudflare; for some reason the www version was set on DNS only instead of Proxied. Once I changed that the issue was gone.