MD5 is considered broken and SHA-1 is closely following, but HMACs built around either are still considered relatively secure. It makes me wonder if MD5 and SHA-1 HMACs can be used as secure hashes.
Could this work?
HMAC remains unbroken with MD5 and SHA1 because it has a secret key that the attacker doesn't know. Therefore, the attacker cannot carry out huge computations on itself (as is required for finding collisions). [A parenthetic comment: please do not misunderstand me; MD5 is completely broken and should not be used anywhere including in HMAC.] In contrast, when you fix the HMAC key and make it public, you can once again find collisions. In fact, the specific collision-finding algorithms that we know for MD5 and SHA1 (via differentials) work for any IV. When using a key for HMAC that is known, this just gives a different IV. Thus, there is no problem whatsoever finding a collision (in practice, given known methods; not just theoretically).
The solution to SHA1 being broken is to move to SHA256 (and later to Keccak after some more validation time).
Yes, but doing so wouldn't be any more collision-resistant than just settling on some new IV.
(HMAC is only supposed to be a PRF. Collision-resistance is significantly harder to achieve.)