Crashing bugs, any bug that might result in loss of bitcoins, and security fixes are always highest priority, but here are the big things I think are very high priority that, as far as I know, nobody is working on. I think they all need to be done before we can say we have a "Bitcoin 1.0" :
- finish download-only-blockheaders client mode
- password-protect the wallet private keys (mitigate the steal wallet.dat problem: see https://gist.github.com/803170 )
- import a backed-up wallet
- figure out how to do click-to-pay
- design/implement a secure DNS-like "map string to bitcoin address" system (so I can send bitcoins to "firstname.lastname@example.org")
- export+encrypt part of your balance (for long-term storage; I still waffle on whether we want to encourage that right now)
Stumbled upon Gavin's post from over a year ago and wondered about the status of these points. It looks like the pace of development is slow, but not being a programmer, I feel all I can do to help is tell businesses and friends about bitcoin, play bitcoin poker, order the magazine, and bomb hundreds of coins at SatoshiDice.
Figure out how to do click-to-pay - it's pretty easy, the bitcoin URI is pretty well defined by now, all you need to do is register the URI in the OS so that when it's accessed, the OS will know to forward it to the bitcoin client. This works well with bittorrent URIs, I don't see why it can't work the same way with Bitcoin.
The problem that I foresee is fraudulent bitcoin URIs. Consider the following:
You're surfing Amazon.com, and want to buy a book. You click on the "Pay with Bitcoin" button, but at some point a malicious factor in your system (or on the host site, Amazon.com for this example) replaces Amazon's tried and true Bitcoin address with it's own, trying to force you pay to the hacker instead to Amazon. Bad for Bitcoin, bad for the client, and bad for Amazon.
What is needed is a list of "Trusted" and "Registered" addresses that clients can look up and verify before sending out the payment.
I have a feeling that this is very related to the "DNS-like map string to bitcoin addresses" issue - it's one problem that compliments another, and it the click-to-pay requires you to have some kind of verified address that you can identify before making a payment.