SRP has a number of problems, the most
The biggest issues I am aware of is the mostly worthless notion of protecting stored passwords by irreversibly hashing passwords changes.
While stolen SRP verifiers (equivalent of a password hash) can't be used to login to a legitimate system they can like password hashes be used to conduct brute force attacks and they can also be used to trick individuals into thinking they are connecting to a legitimate service. This is equivalent to theft of private key or subversion of CA infrastructure.
The other problem is when PKI is not used with SRP the authenticating identity is transmitted in the clear which may give away information (e.g. a username or alias) to an eavesdropper users may not want disclosed in the clear.
notable being that there's no way to securely *distribute* (or create) the password without falling back to some other TLS suite, or doing it out of band. This really limits the usefulness of SRP in a browser.
Saying that bootstrapping trust is SRPs problem is like saying distributing trusted certificates is PKIs problem.
At some point you need to do work to create trust relationships.. This is fundamentally unavoidable reality the same way people in the real world come to trust or not other individuals based on their experiences.
I do NOT believe SRP is a replacement for PKI. They each have their roles and I believe they can and should be used concurrently. PKI is obviously much better suited for initial service discovery on the Internet. Yet the reality is most sites worth protecting with TLS require a login of some kind. Everyone has a login for their email accounts, their banks and their facebooks... What I find unacceptably dangerous is the world continuing to ignore individual trust relationships to secure sessions... because the alternative is asking hundreds of redundant global trust anchors to be responsible for the security of the worlds systems...a laughably insane delusion.
Additionally, I'm not sure how browser support for SRP is supposed to make phishing stop working. If the user still needs to enter their password somewhere, then the phishing attack just has to look like wherever they usually enter their password.
It becomes tractable to educate users to enter their passwords only into a specific browser menu rather than random attacker forms which appear to be indistinguishable from legitimate counterparts which are constantly subject to change, redesign and often contain baseless security assertions (such as fake padlock imagery and baselessly reassuring text)
On the other hand, there are definitely places that I'd like to see SRP deployed. A key one, which I consider a lot more important than in browsers, would be as a replacement for NTLM hashes
NTLMV2 and Kerberos Authentication both need to be replaced with a modern secure authentication system however a lot more people login to websites using pre-established usernames and passwords than they do a network file share. Many of them have no training and believe whatever they see on their screens because even legitimate sites spew lies to cover for fundamentally indefensible reality where insecure authentication is tolerated.