Hi Grant,
Here's my setup if you want to reproduce the problem:
Three servers (one main, two replicated - replicating logs from child to parent only, nothing else) SEP/SEPM started from MR2 to MR4 MP2 embedded database (all clients and servers were upgraded together) had the problem from MR2 through today.
Windows Server 2003 Standard SP2 4GB RAM (/PAE switch in boot.ini) dual Xeon processors plenty of hard drive space (OS installed on C, all apps installed on D, dedicated swap file on seperate partition). Servers all get content from Symantec every 4hrs, computers that don't connect in 30 days are purged, log pruning is all 60 days.
Clients are mostly XP Pro SP2/SP3, some Windows 2000 Pro (SP4), and a handful Windows 7 RC 64 bit. Clients use a location based policy (check for SEPM connection only implemented since MR4 MP1A) and if they are on the WAN, get content updates from SEPM/GUP only, otherwise get from Symantec only (off WAN). Clients configured in pull mode heartbeat of 1 hour.
What I have noticed: decomissioned clients but never removed from AD or SEPM get purged in 30 days but SEPM still shows them in the Security Status / More details screen witth failures. Some of the computers showing up *may* have been turned off and purged after 30 days but turned on and the client shows updated definitions but SEPM shows failures. Some, I can't explain as these should have been on at least once every other week at a minimum (user goes on vacation). These ones I cannot explain show up with Antivirus definition failures but the date of the definitions are blank in that More Details screen.
Let me know if you need more information.