What's wrong with bcrypt

No parallelism, 32-bit word size - slows down defender
Low instructions per cycle (attack is ~2x faster), can't use SIMD
Attacker's use of SIMD is also impacted, though - except on devices with scatter/gather addressing (or at least gather)
Intel MIC (2012, limited availability), AVX2 (2013, will be widespread?)
Low memory needs (only 4 KB) - defender's off-chip RAM is not put to use (only L1 cache is), attacker does not need to provide DRAM
Yet due to bcrypt's memory access pattern this turns out to be (barely) enough to defeat GPUs so far (AMD Radeon HD 7970 is only about as fast as a CPU)