the lack of graceful shutdown makes it is very easy today to get some data loss with a slow replication link.

take the use case where you write with concern JOURNALED, you insert several thousands documents and you shutdown the primary node. in a configuration with another node and an arbiter, the second node will become primary in a matter of seconds, and will start serving reading and writing clients.
by the time the old primary restarts and generates a rollback file, the new primary will have accepted numerous writes, some of them that will not be able to be merged with the rollback file (not even manually). not to mention that while the old primary is down, reading clients will get some state that is older than the state that was previously accepted.

in the context of mongo, a graceful shutdown should

• disallow writes
• wait for at least one another node to be up to date
• step down
• shutdown

as an example, I wrote MongoShutdown.java that takes care of gracefully shutting down a node in a topology with 2 nodes and an arbiter. I believe however, that this kind of service should be directly provided by the server.