A couple reasons just on the performance side:
- SHA-256 has hardware acceleration on many platforms, but SHA-512 mostly doesn't.
- Setting aside hardware acceleration, SHA-256 is faster on 32-bit platforms, like a lot of embedded devices. If you have to choose between "fast on a desktop" vs "fast in embedded", it can make sense to assume that desktops are always fast enough and that your bottlenecks will be in embedded.
On older 64-bit CPUs without hardware SHA-256 (i.e. up to the Skylake derivatives), SHA-512 is faster.
Many recent Arm CPUs have hardware SHA-512 (and SHA-3).
Intel will add hardware SHA-512 starting with Arrow Lake S, to be launched at the end of 2024 (the successor in desktops of the current Raptor Lake Refresh).
Most 64-bit CPUs that have been sold during the last 4 years and many of those older than that have hardware SHA-256.
This may only be applicable to certain CPUs - e.g. sha512 is a lot slower on M1
$ openssl speed sha256 sha512
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
sha256 146206.63k 529723.90k 1347842.65k 2051092.82k 2409324.54k 2446518.95k
sha512 85705.68k 331953.22k 707320.92k 1149420.20k 1406851.34k 1427259.39k
https://crypto.stackexchange.com/questions/26336/sha-512-fas...