Which is better marketing than cryptography. To make it REALLY secure, they could add another step, hash it using this function:
function slashHash() {
return('a');
}
You could never predict the result if they added slashHash to the sequence! :; Note that it doesn't matter if you put slashhash as the last step, the first step, or anywhere in the middle - the whole thing is broken if you have a breakable step anywhere in the procedure.
In the case of KeePass, it's not THAT bad because the thing they are hashing (your password) is probably shorter than either of the hashes, thus easy to guess. An eight character password doesn't provide much security, so not much is being lost. (8-12 characters is insufficient against offline attacks. 10-12 isn't bad for online systems that have server-side brute force /dictionary protection.)
The idea is that because most people's password is their pet's name or something equally easy to guess, KeePass might as well force the attacker to spend a second hashing each guess 500 times. That's not terrible IF you assume the users will choose short, weak passwords. However, it means the attacker does NOT have to guess the right password. They only need to guess any password which collides on any of the 500 rounds! Once the hash matches, hashing a match many more times still results in a match. In that way, it makes it 500 times easier for the attacker.
What that means is that if you did ten million rounds of SHA-256, ANY password would open your KeePass, 'dumb' would always work as an extra password because any password short enough to type will probably collide with "dumb" at one of those 10 million rounds. Of course the user and the attacker both have to sit around waiting for 10 million rounds to finish.
So in summary, more rounds means a) it's easier to guess and b) both the attacker and the user have to wait longer while the rounds run.