But developers can post hashes of files here on bitcointalk. Or in twitter. In second source. It's 99.9% secure!
Why not to do this?
This section consist of million threads, where people complain about electrum wallet phishing
This would be a pointless exercise. Do you even know how people end up installing fake electrum versions? Most of them google electrum and follow a link in an ad to the fake electrum site. Others are falling prey to the phishing messages in old electrum versions. Non of these people frequent this or any other community forum. If they did they would know better and would only download from electrum.org.
Now consider what happens when people who
have fallen prey to fake versions come here and complain. They never visited this forum before but when they need help they seek it out. What are we to tell them? Would it serve any purpose to ask them whether they verified the hashes? The fake sites have hashes for the fake versions so there is no point in verifying hashes. As HCP pointed out hashes alone do not let you authenticate the source of the software. A digital signature of the maintainer is required for that.
Why are you and other users so resistant to learning how to verify digital signatures? It only takes a few minutes to learn how to do this.
Here's a guide if you're interested.