"Why not just grab the hard drive from a server and run?"
You need physical access to do that. You can do it but it requires much more planning than just sniffing somewhere on the network. You don't need to sniff from the source or the destination network. Somewhere in the middle is just fine. You can even do it from previously cracked networks and be relatively safe. Much safer than "grab and run" if you ask me.
It's also spectacularly unsubtle - if I were a malicious intruder in your network who wanted to gain access to your confidential information and not get caught, I'd be far more likely to sniff the right access credentials to get at it digitally over the wire, as this would allow me to copy the information then and there, or come back for it later, either (assuming that I can do so without being logged) without you finding out about it.
Contrast this with pulling the hard disk, which is likely to get me noticed within 1-2 minutes (unless I'm lucky enough to need information from a server with an unmonitored, mirrored raid array and I happen to know the right disk to pull) when the server stops responding, and I know which one I consider a more likely security risk!