Apparently they partnered with the TextSecure people https://whispersystems.org/blog/whatsapp/ to provide end-to-end encryption(Android non-group chat only for now). Apart from the fact that the client is still closed source and untrustable, they now seem to be in a better security situation than the other popular messaging apps.
For example, they store the message database on the shared mass storage partition (a.k.a. SD card), where it can be read by all installed applications.
Wasn't it also true that the password for every account was a simple function of the phone number? Then they changed it, only to base in the IMEI instead.
I didn't look at it again so I don't know if they fixed it for real in the end.