This is likely caused by some dependencies defining their own "repositories" section in their own POM, with the insecure Maven Central URL defined in those.
You may be able to fix this in your .m2/settings.xml by defining a "mirrorOf" for any such references in dependency POMs. You'll have to figure out all the various names of the repositories defined in the dependencies (usually, it's "central" or similar). You could add a "mirrorOf" for *, but that will probably mess up some legitimate ones.
Details on how to configure a mirror are here: https://maven.apache.org/guides/mini/guide-mirror-settings.html
And, it is very easy to have a pre-install step place a custom .m2/settings.xml file in Travis CI, too. See, for example: https://github.com/apache/accumulo/blob/99e3023c7f96a2553282dc73cffdf82659285d2d/.travis.yml#L34-L37
This has effected other Apache projects as well: https://issues.apache.org/jira/browse/THRIFT-5068?jql=summary%20~%20%22repo1.maven.org*%22%20OR%20description%20~%20%22repo1.maven.org*%22%20ORDER%20BY%20created%20DESC