If you are using JWT and someone breaks SHA2, you still have to worry about downgrade attacks. To evade downgrade attacks, you'll have to detect the protocol the client sends, and reject tokens that specify SHA2 or below. Or, roughly the same position you'd be in with one good algorithm: still in need of a backwards incompatible upgrade
The idea was certainly not that services blindly accept any token from every algorithm shipped in the library.
Your browser supports TLS 1.0, should you throw it out?
> If someone breaks SHA2...
JWT has a built-in mechanism for handling this: expirations.
The expiration is just an additional value in the payload that the implementation is supposed to check against.
Unlike JWT, hundreds of the world's best security engineers at various browser companies are working on mitigating the situation as well as possible.