To my knowledge, the folks who actually understand such things do not say actually say that about Hillary Clinton's email server. In her case, the facts are much less clear. The key words in section 798 are "knowingly and willfully". Where Snowden knew he was leaking classified information and was a willing participant, Hillary did at least try to keep some basic (if ultimately inadequate) security on the server contents.
There is also an argument to be made that Clinton did not herself "knowingly and willfully" send any classified emails. As I understand, the only publicly released information does not mention who sent what. Rather, the classified emails may have only been sent to Hillary, making her an unwilling participant.
It is also important to understand how easy it is to accidentally include classified information in a collaborative medium like email. Let us suppose, hypothetically, that it would be outright classified to say "the President's favorite dessert is vanilla cake with chocolate frosting". It may be unclassified to say "the President prefers vanilla cake" and also unclassified to say "the President prefers chocolate frosting", but putting both together becomes a classified discussion. In the context of an email chain, especially when a participant may not read the entire chain thoroughly, it is very easy to imagine a discussion first mentioning the preference for vanilla cake, then a later reply separately adding the frosting preference. Nobody knowingly released classified information, but the classified information is there.
However, a wider-reaching law is section 793, which covers removal from the "proper place of custody". Walking into a secure environment and carrying out classified information without proper authorization would violate this law, and there are a number of cases that have been prosecuted under this section. Again, though, there's little evidence that Clinton personally mishandled classified information that was later found on her server. There is a clause in the law covering "gross negligence", but that dishonor would likely fall to whoever was in charge of securing the server, rather than the person who asked for it.
In short, Comey's assessment is pretty succinct. Hillary Clinton was careless and probably should have known better than to run a personal server, but there's not enough evidence to make a decent case against her.