An anecdote: About a month ago, just to experiment with websockets I built a tiny app using Tornad. I spent a long time trying to figure out why it didn't work before I realized that the latest versions of Tornado and Chromium spoke different versions of the web socket protocol. When Tornado 2.1 came out, the app started working.
The WebSockets standard is not finalized. Everybody deploying today is deploying a draft which is subject to change.
There is no single version of WebSockets which all browsers support. Firefox is not currently shipping WebSockets, but MozWebSocket, which is subtly different and also named differently to discourage usage. They don't want people doing WebSockets. (Aside: Try finding a Moz employee willing to talk about WebSockets. None are listed on the work page in their wiki.) Chrome ships the supposedly-insecure Hixie-76. Which is also HyBi-00. Which leads to...
WebSocket's versioning is somewhere between misleading and nonexistent. Many deployed versions predate the versioning header, so they have to be detected ad-hoc. The version in the protocol isn't always bumped with every new draft that comes out.
The protocol tries so very hard to be HTTP, but can't always cross proxies. This is really only important because (a) long-polling and Comet can easily cross proxies and (b) WebSockets aren't HTTP. It's less code to write a non-HTTP WebSockets server than to bolt one onto an existing HTTP server.
WebSockets security is non-existent. There is no WebSockets protection against proxy attacks, and there is no same-origin policy, so there is nothing stopping an attacker from opening a WebSocket to an unfriendly domain. No security advantage over boring plain sockets. (To their credit, WebSockets do specify SSL/TLS interaction.)
There are more issues, but that's what comes to me from memory after spending the better part of a year caring about these damn things.
