Not sure why this choice can be made, but with monthly Windows updates it can be handy to create a new SUG every month. That way you know which updates are deployed every month. When using an ADR for Endpoint Protection (SCEP) definition updates it's recommended to use an existing SUG. Otherwise every 8 hours or day (as configured) a new SUG will be created. The old SUGs will be kept with expired definition updates in it. Not that it's not a good configuration, but WBEM cannot deal with lots of SUGs, with expired definition updates in it.
Looking on MS TechNet I found the following post: SCCM 2012 Agent and high CPU utilization. Deleting the SUGs indeed did the trick in my case. It seems to be a known Microsoft bug and may be solved later.