Okay, here's a question and an idea:
How much of the data in Bert is required? We already know that the EB 41 41... etc. is not necessary. We also know that we're replacing data, not code. Can we replace the rest of the stuff that comes after the blocksize?
What I would like to try is this: Replace the jump address 0x00C02020 with 0x01010101, and then replace the bytes before and after it with 01's as well. This way, even if the SEH address pointer is offset by a byte or three, it will still jump to 0x01010101. This is just under the 6 MB mark in Ernie, so Ernie would have to be at least that big. If it works at all, then at the very least, it would make the exploit more robust. In the best case, it could fix our double-dash problem and/or the clock loop problem.
Unfortunately, I can't try it right now, but I can later.