The answer is that the last 6 digits of Defender VINs more than likely incremented sequentially.
The biggest clues we have are that the 2 millionth Solihull built Defender has the VIN number SALLDWBP7FA473395, and the last Defender ever built at Solihull (no. 2,016,933) has the VIN SALLDWLP7GA490328. Focussing just on the last 6 digits of the VIN we have 490328 - 473395 = 16,933, which is exact difference in number of built vehicles between the two. Therefore the VIN numbers agree that the last Defender is 16,933 vehicles after the 2 millionth. So for the 2016 model year we can quite accurately expect that the VIN numbers are incremental. Whether this is true for other years can only be estimated, but I will show below why I think they are...
It seems common sense to believe that the VIN numbers are sequential, as it would be more confusing for them NOT to be sequential. Cars are built to orders for a certain specification of vehicle, which are then assigned a build slot; a space in the queue on a certain day. When a chassis arrives at the beginning of the assembly line, it is a generic chassis with the potential of being any specification. At the start of the assembly line, the build sheet is checked and an appropriate chassis is selected from the stack (90/110/130).
The build sheet is then stuck to the chassis.
The chassis was flipped over and a tow bar and other ancilliaries were attached if required. The second stage saw the chassis flipped upright and a VIN stamping machine was attached to the front dumb iron (photo below). See a video of how this works.
This was the point where that specific chassis with the specific build sheet was linked with the vehicle's final VIN. The build specification was already known by the system (e.g. RHD/LHD, Engine spec, etc.) so was able to insert the appropriate digits for the final VIN. For the 6 digit number at the end of the VIN, it would have made sense to just take the number used for the preceding chassis and increment it by 1. This would mean that the last 6 number digit would be completely independent of a Defender's specification, allowing greater flexibility on the production line.
For example, if a build for a specific customer was cancelled the day before assembly, to prevent losing capacity a more generic Defender specification could replace it. That more generic Defender would take the last 6 digits of the VIN that the specific customer build would have gotten. This would mean that you would create VINs at the moment of assembly. If you created VINs when the build slot was assigned, you would have to change or obsolete particular VINs if the build slots changed their order for any reason, which would be a waste of VINs. Having VINs assigned at the first moment of assembly supports the notion that the last 6 digits of a VIN incremented sequentially with no gaps.
If you worked on the Defender production line or know someone who did, I would LOVE to get more information about this. So please get in contact - details in the footer.