Is it really necessary to decide between secure and fast in the first place? Why not start with a fast hash and dynamically switch to a secure one if chain lengths get too high? (This was proposed two years ago but I think never went anywhere.)