How fast can the Core Developers react IF an actual Quantum Computer is projected start breaking SHA-256 in one year?
If people will be in a hurry, then everyone can agree, that vulnerable coins should be timelocked for example for a few years, and in the meantime, the transition plan can be prepared. Which means, that even if unexpected things will happen, then still: freezing coins for a while, and giving developers more time, to prepare a proper transition, is something that can be done, in the worst case. And by seeing existing discussions, I doubt there will be no proposal: I'd rather expect a lot of different competing versions, and many discussions, related to activating BIP-X, BIP-Y, or BIP-Z.
Also, it is very unlikely, that everything will be broken at once, because different people use different keys, which means, that if breaking a single key takes for example a day, then still: it will take a whole year to break 365 keys. And also, even if keys can be broken instantly, in seconds, then still, the maximum block size can limit the damage, because nobody will be able to confirm more than 4 MB of data per 10 minutes, even if all private keys will be publicly known.
Time to implement is not really a concern.
Exactly. Many times, it took much longer to decide, how to activate a given BIP, than writing the actual implementation. And even in quantum scenarios, today's discussions are more focused on "how to activate things", rather than "which algorithm should be picked". Because for the latter, there are many options, and if people will be in a hurry, then they will just take their favourite signature scheme, and the one, who will be the fastest to make the Pull Request, will likely win. And the more time we have, the more quality can be put into picked solutions.
Why worry about such stuff today, you won't even be alive to see it?
Yes, for hash functions, we don't have preimages even for broken MD5 or SHA-1. And by seeing how SHA-1 was patched, I wouldn't worry too much about attacks on SHA-256, because this hash function is very similar, so can be hardened in the same way, based on discovered attacks (also, breaking ECDSA through SHA-256 requires preimages; even if ECDSA would use MD5 inside, you wouldn't break it, by having only collisions).