It's "easy" to build a program with the same length and md5 code than another program. The md5 hash is useful as a protection against accidental collision, but it is not secure enough as a protection against an attack.
http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities
The fact, that MD5 is broken has nothing to do with building database of known-good binaries, because anyone would just use some other hash.
And also, current practical attacks on MD5 (and also on MD4) can be used to find two different strings with same digest (which is not so useful in this case), not string with same digest as some other predetermined string. For this to be exploitable, same organization would have to create two binaries, one trustworthy and one not. There is no reason to do that, as such code is mostly deemed trustworthy on the basis of who published it, not what it does.
