They need users to be confident in their ability to run a secure service, especially when company secrets (source code, in this case) are on the line.
Also, their audience is much more likely to pay attention to things like FireSheep. I can just about guarantee that 9/10 Facebook users have never heard of FireSheep and wouldn't even notice if Facebook went 100% SSL tomorrow.
Edit: That said, I totally agree with your comment.
I wish other sites were able to follow suit.