The problem with proof of stake is essentially that there is no cost to
creating a proof-of-stake. So there are two problems here:

One is that stake voters are free to vote for multiple chains, and since
only one will be the "real" chain, i.e. the one with the longest proof of
stake, the extra votes will simply go away. So there is no cost to voting
for multiple blocks. (A way to discourage this might be to use a signature
scheme where signing multiple signatures with the same key causes the key
to be revealed. But it is not clear what should be done after the fact,
since there is no consensus on which blocks exist or are 'valid' for the
proof of stake to fall back on.)

Another problem is that the stake voters are chosen 'randomly' but
deterministic ally by the content of earlier blocks. This gives a
voter to grind through blocks until he finds one which will give him
more votes in the future than he otherwise should get. Then the proof
of stake becomes a proof-of-work, but one that discourages consensus
since all voters will want to do this.

The problem is what wrecked Peercoin, which I understand is now
centralized (all blocks are signed by the developers to be valid). It is
also a problem with NXT, as of the last time any of us at
#bitcoin-wizards looked at their code.

I talk about this a bit in Section 5 of my document on ASICs and proof
of work:

  https://download.wpsoftware.net/bitcoin/asic-faq.pdf


A goal of proof-of-stake is that it should be easy and cheap to create
a history, at least relative to proof-of-work. Perhaps people want this
for environmental reasons or some sort of "the people should own the
means of production" mentality. But this makes it easy to overwrite
history. As I described above, an attempt to force all participants to
participate in such fraud (thereby making it unfeasible) by, say, having
each block voted on by several random participants, doesn't work because
the random selection can always be gamed.

There have been fun conversations on #bitcoin-wizards about getting
random numbers from the sun, or cosmic radiation, or pulsars, since
these numbers would be both random and verifiable by many parties.
Certainly this would require expensive equipment for all verifying
parties, which intuitively is bad for Bitcoin because people verify
transactions for free and we want this to be as cheap and easy as
possible. (To the best of my knowledge nobody has suggested choosing
stake voters from such random numbers, though there have been many
ideas and I might've missed it. Pulsars are nice because they give us
a clock which everyone within several light years can agree on, which
is good for e.g. sharing the Bitcoin blockchain with Martians. This
is almost always a more popular discussion topic than PoS.)

It's also unclear that PoS can be equitable anyway, since selecting
voters based on "stake" seems to favor the very rich disproportionately.