Mikkel,
I believe what you are running into is different from what is originally reported for this thread.
Please see the following KB article regarding this exactly: http://www.symantec.com/docs/TECH249167
And this article for additional information: http://www.symantec.com/docs/INFO4782
The two KBs you mention (KB4072698, KB4078130) are mutually exclusive and which one you want to implement in your environment will be determined by your businesses planned response to the Specter and MeltDown threat.
One (KB4072698) Set the flag mentioned, and the other (KB4078130) un sets the flag. When both are included in the Patch policy they "fight" over the setting.
- On one run the flag is determined to be unset so KB4072698 triggers and sets it.
- On the next run the flag is determined to be set and KB4078130 triggers and un sets it.
- On the next run we are back in the first condition and this loop continues.
The solution is to determine which state you wish for your computers to be in (flag set or unset) based on your businesses decisions on how to deal with the threat, and leave that policy enabled, and disable the other.