On a theoretical basis, an expired certificate is a certificate which must not be used any longer. This is made explicit in the the Internet X.509 Profile in the certificate validation algorithm (section 6.1.3, item a.2). In practice, this has two consequences:
The key owner (the server) must keep its private key, well, private. Anybody who gets a copy of the private key may impersonate the server. Keeping some data private is not totally immediate; e.g. you have to think about how you do your backups. Once the certificate has expired, the server may simply cease to bother about key privacy, since the corresponding public key is not to be used anymore. If you (as a SSL client) decide to accept an expired server certificate, you take the risk of using a public key for which the corresponding private key has simply been abandoned and scooped up by a bad guy.
There is such as thing known as revocation. When a CA revokes a certificate, it says: "yeah, that's my signature on that certificate, but let's all act as if I never signed that". A typical revocation situation is when the private key was compromised. The CA constantly publishes the revocation status of the certificates it has emitted through CRL (lists of revoked certificates) and OCSP (a dedicated revocation status check protocol). A SSL client is supposed to get information on the server certificate revocation status before accepting it (in a Web / HTTPS context, most clients do not bother). The key point is that once a certificate has expired, the CA ceases to keep track of its revocation status (this avoids having CRL grow indefinitely). Hence, a client accepting an expired certificate takes the risk of unknowingly using a certificate which has been revoked during its lifetime.
As Peter Gutmann says it, the end of validity date in a certificate "denotes the time at which you have to pay your CA a renewal fee to get the certificate reissued". The business model of commercial CA inherently relies on clients honouring the end of validity date. This also explains why Web browsers are keen on displaying scary warnings when a certificate is expired.
