Which SEP version are you using?
How did you implement GUP in the LU policy (IP address/hostname or rule)?
Are the non-updating clients always the same clients?
Are these clients communicating with the SEPM?
Do they have the current policy? (Check policy serial number of group in SEPM console and client.)
Are clients and GUP in the same SEP group (or are they at least sharing the same LU policy)?
Are clients and GUP in the same subnet?
Is there a non-Symantec firewall perhaps blocking port 2967 (where the GUP is listening)?
Some stuff:
Best Practices with Symantec Endpoint Protection (SEP) Group Update Providers (GUP)
http://www.symantec.com/docs/TECH93813
How to analyze Debug logs from GUP to determine which clients are taking definitions from GUP
https://www-secure.symantec.com/connect/articles/how-analyze-debug-logs-gup-determine-which-clients-are-taking-definitions-gup-0
SEP Content Distribution Monitor:
https://www-secure.symantec.com/connect/downloads/sep-content-distribution-monitor
GUP videos:
https://www-secure.symantec.com/connect/videos/group-update-providers-part-1
https://www-secure.symantec.com/connect/videos/group-update-providers-part-2