The really bad thing is that md5 was considered broken in 2005 by security people like Bruce Schneier.

To be fair to them it took till around 2008 for this to become widespread opinion but the signs were on the wall around 2004

You believe sha256 would drastically improve password hashing, being a not broken hash function? In 2006 they likely ran php4 and didn't have much choice what hash to use.