I can sometimes hear 127 Access Points here at the IETF.  From the nm mailing list:

On Tue, 2007-12-04 at 18:25 -0500, Derek Atkins wrote:
> I just roamed and got kicked off the network.  DMESG shows:
> 
> eth1: No ProbeResp from current AP 00:19:a9:45:2f:a1 - assume out of range
> eth1: No STA entry for own AP 00:19:a9:45:2f:a1
> eth1: Initial auth_alg=0
> eth1: authenticate with AP 00:19:a9:45:2f:a1
> eth1: Initial auth_alg=0
> eth1: authenticate with AP 00:19:a9:45:2f:a1
> eth1: authenticate with AP 00:19:a9:45:2f:a1
> eth1: authenticate with AP 00:19:a9:45:2f:a1
> eth1: authentication with AP 00:19:a9:45:2f:a1 timed out
> 
> And then I noticed this in my /var/log/messages:
> 
> Dec  4 18:21:49 pgpdev NetworkManager: <WARN>  request_and_convert_scan_results(): unknown error, or the card returned too much scan info: Argument list too long 

NM 0.6.5 will stop trying to get scan results after the buffer size
reaches 100K.  That's actually somewhat false, since it doubles the
buffer size (like iwlist and wpa_supplicant do) each time the driver
says that the buffer size is too small.  So that would lead NM 0.6.5 to
quit trying to get scan results when the buffer size is >= 50,000 bytes.
That cutoff should probably be raised though, and the algorithm fixed.
Can you file a bug on gnome.org?

0.7 grabs APs from wpa_supplicant over D-Bus, so it doesn't have this
problem.