Re: BB Messenger vs BES
Implementing your own BES means you control the keys on both server and device. BlackBerry just relay the traffic between the BES server and the device. This means that between the BES server and the device, no-one else can read the email. Of course, there's many steps before email gets to the BES server, but that is down to an organisation.
BlackBerry have provided details of how BBM Protected operates, including dataflows, key usage (key agreement and storage) and the impact of different devices. That allows you to understand how it is implemented, and is an interesting read to see how complex such things are in real life. The document is simply titled "Security Note BBM Protected". I wish some other vendors would read it and take notes!