When people rush in to defend salted MD5/etc, they aren't actually doing it because they objectively think it's ok. They're doing it because presumably at some point in the past they have done it or allowed it to be done, they're just defending themselves. Unfortunate, since this is meant to be constructive criticism.
I would use bcrypt but it's not available as a encryption option for the realms in Apache Tomcat.
One possibility would be to write an own realm but it's not that easy. Plus additional work is needed to update existing hashes, currently I therefore use salted MD5-hashes.
Integrate your email systems with Google mail or MS mail. You'll quickly find that they do not accept bcrypt. Plain md5 or plain sha1 is all they support (at least that was the case two years ago). When you are forced to inter-operate with the big guys, you'll find not many actual use bcrypt.
What's actually wrong with bcrypt that prevents people from using it? Is it not available on all platforms? Too computationally expensive?