Because anybody can use the md5sum of the md5sum of the password to gain access to any account
there isn't any point to cracking the password. Effectively Wordpress found a way to defete
the whole point of using hashes to secure passwords. They could of used all the salt in the
world and it wouldn't of mattered.
Maybe using 'md5sum[ salt + md5sum[ password ]]' to make the token would of made a difference.
But then it would matter exactly how the cookie-based auth token is generated. For instance if
the salt was stored in the same database as the password hashes it wouldn't do much good.. if
the salt was time based it wouldn't do much good.
This sort of thing is a very difficult problem and is why most of the time it's better to use
some method that has been developed by security researchers and has been audited by third
parties rather then try to make up your own auth systems.