Intuitively you might think concatenating two hashes could make something way stronger than either, but the way these functions were constructed, that isn't necessarily true. It also shows a trick to efficiently make exponentially more collisions with linearly more work. It's not that those specific tricks work against every idea for fortification; the paper says it doesn't break some schemes you'd expect it to. But it does show that a weak Merkle-Damgård compression function has weird indirect effects, and that makes things built on one seem shakier.
It can make some difference to try to build a system not to rely on collision resistance if possible, or not to give the attacker full control over the input to the hash. For example, CAs started putting a random serial number not predictable by the requestor into the generated cert, so the attacker couldn't predict all of the content being signed. They still moved off SHA-1, of course.
There are lots of good things to say about newer functions. They do more work (more rounds, bigger state), may make better choices of where to spend their effort (newer functions seem to mix bits faster), and use today's CPU capabilities effectively (recent hashes support SIMD parallelism; SHA-512 uses your 64-bit ALU; SHA-256 even has x64 instructions).
Intuitively you might think concatenating two hashes could make something way stronger than either, but the way these functions were constructed, that isn't necessarily true. It also shows a trick to efficiently make exponentially more collisions with linearly more work. It's not that those specific tricks work against every idea for fortification; the paper says it doesn't break some schemes you'd expect it to. But it does show that a weak Merkle-Damgård compression function has weird indirect effects, and that makes things built on one seem shakier.
It can make some difference to try to build a system not to rely on collision resistance if possible, or not to give the attacker full control over the input to the hash. For example, CAs started putting a random serial number not predictable by the requestor into the generated cert, so the attacker couldn't predict all of the content being signed. They still moved off SHA-1, of course.
There are lots of good things to say about newer functions. They do more work (more rounds, bigger state), may make better choices of where to spend their effort (newer functions seem to mix bits faster), and use today's CPU capabilities effectively (recent hashes support SIMD parallelism; SHA-512 uses your 64-bit ALU; SHA-256 even has x64 instructions).