You might say we should therefore use sha1 or rmd160 instead. But what if a similar problem is discovered in sha1 or rmd160?
MD5 already has one, others are not.
Even if flaws exist in all three checksum algorithms that enable differing files to have the same checksum, it is virtually impossible for such a flaw to affect more than one checksum algorithm at a time. That is, take two different files A and B which have been constructed so that their md5 sums are the same. I will eat my hat if they also have the same sha1 sums or the same rmd160 sums.
Therefore, use more than one checksum and the weakness of any individual algorithm becomes unimportant.
That's make sense. Anyway, the thing is, not dropping MD5 as a checksum but encourage ports author to write more secure Portfile. For this porpose, I like your idea that warns portfile author when checksum is not secure enough.