Cookies, and usually java, can be used to implement security which is *much more secure* than digest authentication. Session hijacking, cookies as sent over the wire and any previous values can all be easily rendered useless.
If the application is LWN then security it is not critical: the marginal cost of shipping a few unfunded bits is presumably minimal. It is enough for a reasonable majority of people to pay.
P.S. You can implement digest logout now by always returning 401 if a cookie is not present, even if the credentials are valid. The logout button just deletes the cookie. You can include the cookie in the 401 response. I know this works in IE, firefox, opera and chrome.
A real browser "forget my credentials for this website" button would be much batter and more secure but I am fairly sure it will not be implemented within the next 3 years.