So is that my answer to the question that started this thread? We know how to make good hashes, but they are slow. And all the fast hashes get broken eventually?
I'd phrase it as "because hashes have historically attracted less attention than ciphers, it took longer for us to figure out how much of a margin of error to design into hashes".
For both block ciphers and hashes, the vast majority of designs rely on iterated mixing functions, and long before the complete designs are broken cryptographers figure out how to attack reduced-round versions. There's nothing inherently broken about the designs behind either MD5 or SHA1 -- if you created an MD5++ hash which exactly followed the design of MD5 but used twice as many mixing rounds, I don't think anyone would be able to find collisions for it.
