How insecure is SHA-1 compared to other algorithms out there?
Is it a monumental task to swap it out on a 2.0 install for something more secure?
Decently secure. Still requires a lot of work since there is a salt as well. It only matters if your database gets leaked, insecure software.
People could then discover a users password then try on other sites.
2.1.x uses bycrpt more secure
And yes, it's not minor to change it. That's why the change was fine in 2.1 and not as a patch to 2.0