It depends on what you mean by pointless. 🙂 You are correct that in a standard setup, where you’re creating a session over HTTPS, and then reverting to HTTP but passing a session cookie (say) around with your requests, that the theoretical “guy in the coffee shop” can in fact see your data and/or take actions on your behalf.

The downside of using all-SSL (HTTPS) is traditionally that it is expensive from a server-side computation standpoint as well as incurring computation the client side. (Dollars and servers for the site, slower-loading pages for you.)

Therefore running most of a site in the clear has traditionally been considered an “acceptable risk” for most uses of the web.

The two risks you face are having your data be visible to others, and having others be able to act as you (by using your cookies, which they can steal). When designing a new site, you should think about the relative risks of both of these things. Notice that financial institutions will always serve all of their pages over HTTPS because the risk is not acceptable– every page contains sensitive data, and even eavesdropping is bad. Gmail provides an opt-in option to get HTTPS for all sessions, too. (Facebook doesn’t, though, nor does e.g. Yahoo! Mail).

You’ve probably noticed that many sites that run primarily over HTTP will protect critical settings changes with password re-authentication. This is one reason why they do this: even if the guy in the coffee shop can read your Facebook posts going by, he can’t change your password and lock you out without knowing your current password.

Philosophically, my guess is that over time an increasing number of services with private user data will be pressured to move to (or offer) all-HTTPS as people become aware of the risks and as use of public Wifi networks increases.