Does anyone know whether Rivest was motivated to design MD5 by the partial attacks on MD4, or whether those came later? (This is totally idle curiousity.)
It was after...
All of the well-known software hash functions seem to be based on MD4 these days, but that doesn't mean much about the security of MD4--3DES with three independent keys looks pretty strong, as does. 3DES with two independent keys, but that doesn't mean that single DES is a strong enough cipher for modern applications.
3DES with only two independent keys is only slightly more secure than DES, consider a variant of the meet in the middle attack exploiting the fact that the constraint network is reductible to two equations in one unknown.
Is there a generic construction for arbitrary-length hash functions from good block or stream ciphers?
Yes, see Bruce's book. Phill