Note that the hash function starts with a static value.
If it called OP SHA256 for every bit then the final version would be the same regardless of input bits.
If it did nothing for 0 bits, then the sequence 101 would produce the same result as 11 and 10001, which is not good in a hash function.
If it alternated OP_HASH256 (double) and OP_SHA256 (single), it be similarly vulnerable since the sequence 00 gives the same result as 1.
Unfortunately there are no other OP codes that take a 32 byte value (the previous hash result) and push a different 32 byte value to the stack. We can’t e.g. do OP_IF 1 OP_ADD OP ENDIF because Script numbers are limited to 4 bytes.
That leaves OP_RIPMED160 as the least bad alternative. It change the input in a way that’s different from SHA256, but you lose 12 bytes.
