It seems as if the choice to go with 302 over 301 was a little arbitrary to begin with. However, it does not necessarily follow that every URL is going to “have” to utilize the HTTPS scheme. There very well could be a page that allows access from both HTTP or HTTPS even if it may encourage the latter. An implementation where this may occur could have some code wired up to determine whether or not to use HTTPS based on some special criteria.

As a case scenario, take a look at Gmail. Within the settings, one is capable of allowing or disallowing the HTTPS protocol throughout large portions of the application. Which code should be returned then? 301 wouldn’t be accurate, as it isn’t “permanent”…only a change at the behest of the user. Sadly, 302 isn’t quite accurate either because a 302 error implies that there is intent to change the link back at some point in the future (related reference http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html).

Granted, Gmail is a rough example because the portions of the site that allow that option are not typically indexed by a search engine, but the possibility still exists.

And to answer your final question, if you want a different status code in ASP.NET MVC (which I assume you’re using from the small syntax example), it is possible to change with a simple, custom attribute:

public class MyRequireHttpsAttribute : RequireHttpsAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);

        if (!filterContext.HttpContext.Request.IsSecureConnection)
            filterContext.HttpContext.Response.StatusCode = (int)HttpStatusCode.MovedPermanently;
    }
}

Now all actions that implement the attribute should return a 301 status code when accessed via the HTTP protocol.