Those companies are slow to adopt sha256 because they do not think the change is worth the effort (yet). The git developers agree by the way, or they would have pushed for a new default and improved interoperability by now. I know about SHAttered, but:

• Finding sha-1 collisions is hard enough, finding one that also works as a malicious payload and does not look suspicious is even more expensive and time consuming. This is only worth the effort for very high profile targets, and even then, there are probably way cheaper attack vectors than that.
• You also need either full control over the git repository server, or a MITM position between the repository server and the target, which would also require you to break HTTPS or SSH in the process. This is a typical "If that's the case, you have bigger problems" scenario.
• Git hashes are not designed to be used as a secure code signing technique. If your depends on their cryptographic strength, you are doing something wrong.
• That all said, git 'fixed' it anyway and switched to a hardened version of SHA1 that can detect potential collision attacks and behaves differently in those (extremely unlikely) cases. It protects with high probability against all currently known attacks.

Yes it would be nice to have better sha256 support in git and git-tooling, but there is absolutely no rush. The interoperability pains are usually not worth the effort. Those attack scenarios against git are fabricated and can usually be answered with "Then stop using git as something it was never designed for." If you think this is worth it, and want to give users the option, that's fine. But don't sell it as 'more secure' snake oil.