Regarding the first question: you should consider using HTTPS for your website for user authentication and their usage once authenticated, because most authentication methods (typically cookie-based, session-ID in the URL or HTTP Basic) would transmit the authentication token (e.g. the cookie) in clear otherwise. As such, an eavesdropper could impersonate the authenticated user by re-using the session-ID/cookie for themselves. This sort of attack has been around for a long time, but tools like Firesheep, in conjunction with the use of unprotected (possibly public) WiFi networks makes this quite practical unfortunately.

Regarding the second question: you get those warnings for mixed-content, i.e. pages served over HTTPS that embed content from HTTP sites. If you’re using secure cookies, your authentication token (in the cookie) shouldn’t leak to the non-protected content embedded on the page… However, it’s impossible for the use to know that. Teaching users to ignore warnings is generally bad practice.
If it’s your content, turn on HTTPS. If it’s someone else’s and they don’t have HTTPS access, it’s a bit trickier. One solution may be to relay their content through your website (but you would need to rewrite their links, etc.).

As always, it’s a matter of risk assessment. You can actually use Facebook over HTTPS (by typing https:// explicitly). Since posting on Facebook can have you sent to prison, you wouldn’t want anyone impersonating you.

Some sites don’t enable HTTPS because it’s thought to be expensive, which isn’t necessarily true (Compatibility of XP for Server Name Indication and shared hosting is also an issue, as detailed in this article too).