best response confirmed by JWW-CSISD (Occasional Contributor)
So it's fixed. Finally. I had to check replication for each GPO individually in the GPMC to find the two that were causing problems. All 467 policies.
I still have no idea what was wrong with those 2 policies. The ACL's were fine. Using icacls to remove/re-add the domain admins permission didn't help. Eventually I gave up and recreated those two policies from scratch, then deleted the old ones, and suddenly everything is hunky dory!