SHA1 has a sloppy key/msg schedule. They could have just done a random permutation of words and been safe - it would have even been cheaper than what the ended up doing. Such as what BLAKE does.