How bad is this really?
I've always wondered just how serious a security issue this really is.
Compared to other problems such as bad session handling and general coding errors this is surely fairly trivial.
If I'm trying to get someone's personal details the the use of viruses and trojans seems to be a far better option. To intercept someone's traffic to a website I need to find somewhere along the route between their PC and the website in question where I can plug in my sniffer and then wait for them to connect. This is surely a very time consuming and difficult thing, and other methods would seem to be far easier.
If anything, the real value of SSL is to assure the user that the site they are connected to is what it claims to be.
The lack of SSL only marginally increases the user's risk of losing personal information compared to the multitude of much more likely ways these details will be exposed (not least HR people leaving their laptops lying on a tube train).