It's a quick way to see if something is good, but without verifying the signature anyway, it's possible that the site was compromised and showing a hash that matches the executable or binary.
But if the site was compromised, and it showed a different hash, the signature using Thomas' key wouldn't be valid.
I don't want to speak for Dabs, but I think that's the point he's trying to make. If you only rely on checksum hashes and the site is compromised, the checksums could easily be replaced by the hackers. If we rely on GPG signatures the hacker wouldn't be able to sign the releases (or a list of checksums) with ThomasV's key, and we would know something was wrong. To defeat this type of security the hacker would have to gain access to multiple unconnected servers. Not impossible, but highly unlikely.