It is a bit dubious to claim that hash functions "are not based on any hard problem": inverting a standard hash function, or finding a collision, is itself a very hard problem.
The point of a reduction is to gather the cryptanalytic effort on a smaller number of hypothesis. The fact that RSA-OAEP is CCA secure under the RSA assumption is not a proof that it is secure, simply an indication that to study its security, it suffices to study the security of the RSA problem. As many other cryptographic primitives can be reduced to the RSA assumption, it saves a considerable cryptanalytic effort.
Now, such reductions usually rely on some nice algebraic properties of mathematical hypothesis, exploiting group structure, self-randomizability, and so on. These properties are common in asymmetric cryptography, because such additional structure is already necessary in the primitives it involves. But in symmetric crypto, on the other hand, such structure is typically avoided. A consequence of that is that you need way smaller primitives (in terms of bit size) and much less computationally expensive operations to achieve a (conjectured) given security level, but you loose the possibility of reducing many symmetric primitives to a small number of hypothesis.
Still, for the most widely deployed block ciphers and hash functions, the cryptanalytic effort that has been invested on studying their security easily matches the effort invested on "generic hypothesis" such as the discrete logarithm or the factorisation, because they are widely used in practice. Therefore, there is no reason to believe that, due to the lack of reductions, inverting SHA256 should be any easier than breaking RSA. In fact, because RSA has so much structure, most experts would probably be way more surprised by an attack that inverts SHA256 than by an attack that breaks RSA. Therefore, the fact that ElGamal and the kind enjoy "reductions" does absolutely not make them more secure - it only establishes links between hardness of different primitives.
That being said, quantum computers are not magical. We cannot say anything for sure about what we can or what we cannot break with them - for all we know, it could be that $P=NP$, and that all of cryptography can be broken using a classical computer. But our current knowledge gives us some intuition on the additional power they give over classical computers. And this intuition can be summed up as follow: it seems to give some additional power, but to still fall short on solving very hard problems (say, NP-complete problems) in reasonable time.
Some problems with a special structure (factorization, discrete log) typically fall in the category of problem for which quantum computers would give a very strong speedup, because they can be reduced to the task of finding the period of some function, which seems hard to do with a classical computer, but not with a quantum one. For unstructured problems, quantum computers seem to provide some non-trivial quadratic speedup, via the use of the Grover algorithm. But a quadratic speedup does not give an attack, it simply indicates that the size of the keys should be increased by a factor two to compensate for this speedup.
Hash functions are rather unstructured, so we currently do not see how to get more than a quadratic speedup over a classical computer to attack one. Therefore, we currently conjecture that a hash function with 256 bits of classical security would still have 128 bits of quantum security. For collision resistance, quantum computers provide an even less impressive speedup: the birthday attack gives a $O(\sqrt{n})$ attack, and its quantum version seems only to make this attack $O(n^{1/3})$. (Note years later: see the comments below by SEJPM and Squeamish Ossifrage for why in reality, this $O(n^{1/3})$ cost is a wild underestimate of the true cost of quantum collision search, and why it does actually not even beat the classical $\sqrt{n}$-time birthday paradox attack).
