I don't want to speak for Dabs, but I think that's the point he's trying to make. If you only rely on checksum hashes and the site is compromised, the checksums could easily be replaced by the hackers. If we rely on GPG signatures the hacker wouldn't be able to sign the releases (or a list of checksums) with ThomasV's key, and we would know something was wrong. To defeat this type of security the hacker would have to gain access to multiple unconnected servers. Not impossible, but highly unlikely.
This assumes that the attacker won't also replace the PGP public key for ThomasV as well. PGP is best used in conjunction with an established web of trust which can be hard to get for some users and I would probably recommend users to at least get another source of information to validate if the imported public key is also correct.
I agree with the above sentiments as well. Using solely the hash of the files as a validation is insecure. There is a reason why Bitcoin Core hash sums are included within a PGP signed message and users are encouraged to verify them first before trusting it. Using the hashes as it is would merely serve as a way to verify data integrity but not guarantee it's security.