It is only off-topic because Tradehill does not use MD5 Hashing, I can't find what hashing they do at the moment.
However, if the database is compromised somehow, account locks after failed login attempts won't help much. That is why you need to choose a secure (likely hard to remember) password. It doesn't matter how convoluted the hash function is; attackers will have the time to do a dictionary attack on their own machines.
That said, (salted) hashing of the passwords is better than storing them in clear-text. It means that most users have time to change their passwords once they learn about the breach. Hopefully Tradehill won't have such a breach.