The use of SSL is much, much more widespread than that. And to look at this from a different angle - if it was as easy to capture cookies and login details like this from mainstream websites they just wouldn't be useable. Look at the vast numbers of people that log in every day from Starbucks, McDonalds, airports around the world, etc. all without encryption on the wireless link. How many of these people regularly use VPNs?

Best practices for the last 5-10 years have involved putting the security into the web application, primarily using SSL for anything even remotely sensitive, precisely because you can't depend on the security of the network link.

From a personal perspective, I have no hesitation about logging into my online banking, credit card accounts, webmail, etc. and using business applications such as Outlook and Salesforce from any public WiFi hotspot. The only thing I use a VPN for is to get around geographical restrictions for certain sites, as mentioned above.