It's a big site with, no doubt, a gold mine of email/password combinations to try vs. other services. Maybe the password storage was secure, but probably not. Maybe a few of those users were using secure one-off passwords, but realistically most weren't.
The hash iterations are due to vBulletin's life span and being a product. They had md5 hashed passwords. Then they realized they have to salt them. So instead of adding the the salt to the password then hashing it, they decided to add the salt to the hash so they could salt every password without having to wait to get the original password.
The point was more that two iterations of MD5 isn't nearly slow enough. This site claims 5.6G/s on an ATI 5970 (~$400US) card: http://www.golubev.com/hashgpu.htm
So for a 2-iteration password cracker, that's enough to search almost a 48 bit space of passwords in a day. That's enough to check every possible ASCII password of 7 characters or less, and a good heuristic search will probably get you much more than that.
Does the repeated MD5 protect it from the common MD5 attacks? (I recall there being something especially dangerous about just md5($salt . $pass), but I forget the details - Length Extension attack maybe?)