I discussed this with Satoshi. There is no particular reason why secp256k1 is used. It just happened to be around at the time.

However it sounds like there's no real consensus that the k1 curve is really a terrible thing and indeed it may even be helpful in future as ECDSA verification is the primary CPU bottleneck for running a network node. So if Koblitz curves do indeed perform better we might end up grateful for that in future ...