I've been rolling the above configuration to approx 5k machines. A small number approx 200 are being reported as UNPROTECTED on the Product Protection Summary Report. I have spot checked these machines and VSE 8.5i is installed, is patched and is recieving policy updates. A reboot seems to correct this problem.
I also occasionally see systems reporting "unprotected". We don't get the numbers that you are seeing, only usually about 3 out of 1400 systems. Like you a reboot fixes the issue for a short time. Hopefully someone can offer a suggestion why this is happening.
The odd thing is that a DAT report shows the system having up-to-date virus dats.