One of the major issues with SOAP that has not properly and formally been addressed is the whole aspect of authentication and encryption. Really, many of these issues are not specific to web services. For example, this issue has existed for ages with normal websites that provide web-based interfaces to back end systems. Even if SSL server and client certificates are used, how can those identifies be forwarded properly to other systems? How can the database (which could be running in a backend server farm) verify the identify of who is connecting? X.509 on its own is not always the answer. Currently, the SOAP standards do not really discuss the possibilites if encrypting portions of XML documents, or even containing builtin data validation methods such as checksums.
This article (available in HTML and PDF formats) has an interesting discusson on security and web services: http://www.eaijournal.com/Article.asp?ArticleID=636&DepartmentID=9
One error made by that author is stating that SSL is not applicable to non-HTTP protocols. In fact, SSL is a session layer thing and can be applied to any TCP connection, not just HTTP.