I don't use agents but I have the same setup as you, defined patch groups containing every single patch. Then the next month create another group conating every update at that point in time. I can confirm that this works for normal deployments from the console, have you tried without the agents?
Let's give it a shot...
Uninstalled Chrome from my test machine and then ran a patch scan using the same templates that I had configured on the agents. No patches missing.
I then installed the same old version of Chrome used above.
I then scanned the machine for missing patches. 1 patch missing, not 35!
Installed the 1 patch, did a rescan, now I'm fully patched up!
So this does look to be specific the logic used when the Agent's patch themselves. Quite odd...