As somebody else pointed out recently in another thread, being able to steal session cookies can even help you attack the server directly, as authenticated users usually have more/different write access to databases and the like, making (e.g.) SQL injections easier. In this regard, even if you don’t consider it “hacking a website” if someone steals session cookies, HTTPS makes it more difficult to “hack websites” in the sense of “getting root access to the server”.
How that compares to the increased attack surface of the HTTPS implementation is of course up for debate.
How that compares to the increased attack surface of the HTTPS implementation is of course up for debate.