Because the sensitive info that is transmitted is your username/password, so why force it by default in case someone is browsing as visitor in http-only (in case for some reason https does not work for him).
Once logged in you would stay in https, of course (I should then force the cookie & session to be useable in https only).