The Git folks moved to a hardened SHA1 function as an interim measure on the way to SHA-256 - https://github.com/git/git/blob/master/Documentation/technical/hash-function-transition.txt
I think you're generally right. While I might think that an auditor would simply be advised of the root hash for a Merkle tree that for a branch at a moment in time, or a tag, Subversion doesn't have a a Merkle tree under the hood. I coded something niche to retrofit Subversion with that, but it's not core and far from perfect as it relies on an LRU cache and keeps no history itself. Git's merkle tree would be perfect if it didn't blow up when repos get too big, and if allowed clone from nodes other than root (branches and tags are in respect of root of course). So, ignore me here.
