Something I see quite a good amount of with Drupal modules is a tendency to hold onto fixes committed to CVS for some time. I believe this is counter productive. While yes, it is good to hold onto new, big features until they have simmered for a while and proven to be stable, smaller updates and especially bug fixes, should be rolled out regularly.
One of the difficulties with Drupal is that with so many modules needed to make a good site you can end up with a dozen or more different CSS files. On occasions when you need to tweak the CSS to match a specific design, or fix something for IE6, it can take quite a while to dig down to the exact definition you need. You might try throwing random snippets of CSS at the problem to try to make it go away, but they usually won't work.
I've personal never understood the point of having a username for web sites when 99% of them also require an email address that is unique to you - just use the email address! In the world of Rails development many developers use the excellent restful_authentication to provide the user login structure, but again out of the box it uses a username. Silly thing. So instead, here's how to make restful_authentication sit rather happy with just an email address.
A key design flaw in Drupal 5, especially for anyone dealing with large quantities of data, is that it doesn't use the database's built in auto-incrementing counters for its table primary keys, instead it manually tracks an per-table integer in a table called "sequences" which is updated each time new records are added. This is a bad design in all sorts of ways and really should have died a horrible death many years ago.