We do exactly the same thing -- data-sensitive requests sent over HTTPS with a secure cookie, normal browsing over HTTP. At this point it seems difficult to implement site-wide SSL (CDN issues, browser bugs, overhead in SSL).
It seems like an important area of development for the web community to improve the tools and services available to make SSL on regular sites easier to implement. Yes, it's easy to turn on SSL, but there's a lot of nuance in a good implementation.
That's basically what we are going to have to do. There will be trade offs (carving time out of our roadmap, etc) and it's going to be a pita, but our space is one where some moron is going to sniff out a bunch of logins at a conference and pull some epic trolling and we'll have to spend time deleting the crap.
It's a shame that we can't go all SSL, but that's just the way it will have to be. The best we can do is make it difficult to hijack access to our tools that require elevated permissions.
It seems like an important area of development for the web community to improve the tools and services available to make SSL on regular sites easier to implement. Yes, it's easy to turn on SSL, but there's a lot of nuance in a good implementation.