The reason is security. Over http, users' login credentials are transmitted in clear text. Anyone, anywhere on a network segment over which your traffic is flowing can easily capture login credentials. That's why the admin console is https only.

So, if a user goes to log in over the coffee shop open wireless, in most cases everyone else on the wireless can easily get the login credentials. Even in an office LAN, one disgruntled employee with no tech training to speak of can easily capture everyone's login credentials. And once logged in, all those emails read and sent are also available for public viewing.

Setting Zimbra to automatically redirect to https solves this issue of snooping, and using complex passwords mitigates the issue if cracking. Hope that clarifies things.