we opened a case cause of the difficulty of finding detailed infos online: symantec support asked us to run some debugging tools on our sep clients that were supposed to update via IIS.
SEPDebug_1.25
Sep_SupportTool
With this scan we saw that the clients were correctly recieving the policy from the SEPM and that they were recieving an ACL error from the IIS server that was misconfigured.
Our web server had the permission set to everyone in Read for the setup.exe file, but the local folder of the server did not have the everyone-Read permission on the security TAB (not web security that was already set).
Changing the permission from admin-only to everyone read made the web upgrade process to work correctly. Hope this helps someone.