OK - to partly answer my own question, I realise now that the Threat Advisory is also listing items in the "Previous" branch of my repository. This explains what the duplicates exist and are shown as having the wrong version.
However, can anyone advise on the other item - which I think is now limited to the "Audit Engine Content".
Audit Engine Content is the updatable content that's used by policy auditor. (Possibly risk advisor as well - I'm not sure exactly.)
In the first instance, remove this package from the repository, and then run the pull task again - does that solve things?