Computing overhead of HTTPS is extremely low, especially when compared to PHP & MySQL. Configuration is easy. Only one wildcard certificate is needed for the whole sourceforge domain. So why not? You could have it up & running this evening.
Sourceforge encourages projects to migrate their hosted apps (e.g. WordPress or wiki) to project web space. All these apps come with administration interface that requires administrator to log in. Since project web doesn't support SSL, administration sessions go through unencrypted HTTP connections, which makes them vulnerable to trivial password/cookie sniffing attacks. This is particularly important on sourceforge where software is distributed to end users. Hijacking WordPress, for example, would allow the attacker to insert fake download links that would enable the attacker to infect thousands of other systems.
(ticket moved from site support section to feature requests)
Comment from Chris Tsai:
I would like to note that this is not quite so simple, there are other things to consider beyond just the technical feasibility.