One of the primary ways to measure the strength of a supposedly cryptographically secure hashing algorithm is *collision resistance.* If hash has a 128-bit output (like MD5 does), it should take on average 2^(128-1) guesses before you find two values that hash to the same result. Since it was first introduced in 1991, vulnerabilities have been found that reduced the number of guesses required, and at the same time computer hardware improved so more guesses could be made per second. Last I heard there are done around 2^(20) ~= 1 billion guesses, which takes a few seconds on a modern GPU.

While some algorithms are clearly better designed than others, a lot of it comes down to novelty. People have been banging on MD5 for nearly 30 years, so it is no surprise the vulnerabilities were eventually found. All hashing algorithms are going to have some kind of vulnerability, it all comes down to an arms race between algorithm authors and cryptoanalysts.