Landscape fails to apply security updates

Logging into an LDS-managed system, I found that various recent security updates were not applied:

20 packages can be updated.
18 updates are security updates.

This system is reporting in successfully (last ping time was less than 1 minute ago as I write this), and is part of a regular auto-upgrade activity.

The system in question reports the following package counts in Landscape, contradicting apt's figures:

Available Installed Upgrades Held
61116 851 2 1

$ sudo apt list --upgradable | grep security

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libasn1-8-heimdal/xenial-updates,xenial-security 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 [upgradable from: 1.7~git20150920+dfsg-4ubuntu1]
libgcrypt20/xenial-updates,xenial-security 1.6.5-2ubuntu0.3 amd64 [upgradable from: 1.6.5-2ubuntu0.2]
libgssapi3-heimdal/xenial-updates,xenial-security 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 [upgradable from: 1.7~git20150920+dfsg-4ubuntu1]
libhcrypto4-heimdal/xenial-updates,xenial-security 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 [upgradable from: 1.7~git20150920+dfsg-4ubuntu1]
libheimbase1-heimdal/xenial-updates,xenial-security 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 [upgradable from: 1.7~git20150920+dfsg-4ubuntu1]
libheimntlm0-heimdal/xenial-updates,xenial-security 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 [upgradable from: 1.7~git20150920+dfsg-4ubuntu1]
libhx509-5-heimdal/xenial-updates,xenial-security 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 [upgradable from: 1.7~git20150920+dfsg-4ubuntu1]
libkrb5-26-heimdal/xenial-updates,xenial-security 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 [upgradable from: 1.7~git20150920+dfsg-4ubuntu1]
libroken18-heimdal/xenial-updates,xenial-security 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 [upgradable from: 1.7~git20150920+dfsg-4ubuntu1]
libsmbclient/xenial-updates,xenial-security 2:4.3.11+dfsg-0ubuntu0.16.04.9 amd64 [upgradable from: 2:4.3.11+dfsg-0ubuntu0.16.04.7]
libwbclient0/xenial-updates,xenial-security 2:4.3.11+dfsg-0ubuntu0.16.04.9 amd64 [upgradable from: 2:4.3.11+dfsg-0ubuntu0.16.04.7]
libwind0-heimdal/xenial-updates,xenial-security 1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 [upgradable from: 1.7~git20150920+dfsg-4ubuntu1]
ntp/xenial-updates,xenial-security 1:4.2.8p4+dfsg-3ubuntu5.5 amd64 [upgradable from: 1:4.2.8p4+dfsg-3ubuntu5.4]
python-django/xenial-updates,xenial-updates,xenial-security,xenial-security 1.8.7-1ubuntu5.5 all [upgradable from: 1.3.1-4ubuntu1.23]
python-samba/xenial-updates,xenial-security 2:4.3.11+dfsg-0ubuntu0.16.04.9 amd64 [upgradable from: 2:4.3.11+dfsg-0ubuntu0.16.04.7]
samba-common/xenial-updates,xenial-updates,xenial-security,xenial-security 2:4.3.11+dfsg-0ubuntu0.16.04.9 all [upgradable from: 2:4.3.11+dfsg-0ubuntu0.16.04.7]
samba-common-bin/xenial-updates,xenial-security 2:4.3.11+dfsg-0ubuntu0.16.04.9 amd64 [upgradable from: 2:4.3.11+dfsg-0ubuntu0.16.04.7]
samba-libs/xenial-updates,xenial-security 2:4.3.11+dfsg-0ubuntu0.16.04.9 amd64 [upgradable from: 2:4.3.11+dfsg-0ubuntu0.16.04.7]
smbclient/xenial-updates,xenial-security 2:4.3.11+dfsg-0ubuntu0.16.04.9 amd64 [upgradable from: 2:4.3.11+dfsg-0ubuntu0.16.04.7]

Some of the above can be explained as having been released after the last scheduled auto-upgrade, but the NTP package was released nearly 2 weeks ago: https://usn.ubuntu.com/usn/usn-3349-1/

There are no reports of issues involving this system in <server>/account/standalone/computers/criteria/alert:package-reporter/packages/reporter, nor are there any hung landscape-package-reporter processes:

$ sudo service landscape-client status
● landscape-client.service - LSB: Landscape client daemons
   Loaded: loaded (/etc/init.d/landscape-client; bad; vendor preset: enabled)
   Active: active (running) since Tue 2017-06-27 12:31:16 UTC; 2 weeks 5 days ago
     Docs: man:systemd-sysv-generator(8)
   CGroup: /system.slice/landscape-client.service
           ├─1294 /usr/bin/python /usr/bin/landscape-client --daemon --pid-file /var/run/landscape/landscape-client.pid
           ├─1295 /usr/bin/python /usr/bin/landscape-broker --ignore-sigint --quiet
           ├─1296 /usr/bin/python /usr/bin/landscape-monitor --ignore-sigint --quiet
           └─1297 /usr/bin/python /usr/bin/landscape-manager --ignore-sigint --quiet

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.