What? Git absolutely makes it trivial to impersonate commits. All you have to do is change some Git config settings. Or, export your commit into a patch/email file (git format-patch), modify it, and then import it (git am). Or, set some environment variables (GIT_COMMITTER_NAME and GIT_COMMITTER_EMAIL). etc.
As you yourself mentioned, very, very, very few projects/people sign their commits. Even fewer actually verify them.
Sign with GPG for the hash, as linked. The methods you mentioned do allow malicious modification. Signing the commit with a public key makes it a lot more difficult.
In the same vein, one can spoof email - but DKIM, SPF, DMARC together as controls make it much more difficult.
Again, as you yourself mentioned, very, very, very few projects/people sign their commits. Even fewer actually verify them. That has nothing to do with how easy Git makes it to impersonate commits. In fact, whether you sign or not, you can still easily impersonate commits with any Git tool unless the person on the other end actively verifies the signature. (Which GitHub makes much easier than git, since they also maintain & automatically check a verified mapping of email -> GPG key, instead of you having to somehow get the key and then make sure it's the right one and then explicitly tell git to verify the signature)
I am well aware that you can sign commits with Git. I do, personally and professionally, and my coworkers and I are required to, by policy that I wrote. That has absolutely no bearing on the topic at hand even tangentially.
Their UI is far better at it than the git tool itself. You have to explicitly tell git to check signatures (not to mention needing to go get people's keys and verify that they're correct, which GitHub does for you).
Git does not make it trivial to impersonate commits. http://www.linuxjournal.com/content/signing-git-commits