As you say an MD5 hashed password in the UsernameToken is a password itself
(or password equivalent).
The reason for further hashing and salting the already hashed password is to
make offline dictionary attacks more difficult if someone manages to steal
the database. See
There are dictionaries of pre-hashed common passwords available which means
discovering passwords from non-salted password hashes is easy if you have
the database. This is why salting and iterative hashing is used.
If someone has stolen your database why bother about them getting the
passwords? Because people tend to use the same password on more than one
site, so you are preventing the hacker getting easy access to more sites.
The reason for hashing the password on the client is to provide a simple
level of protection if someone hacks inside your secure channel (which is
encrypted of course) and can get access to the unencrypted data. If this
happens then your pretty stuffed though.