EDIT: It's mostly about BIS; BES servers can actually implement end-to-end, if they're IT department enables the S/MIME module and create, distribute and teach users how to use PKI certificates.
But if you're not doing that, you're not really protected.
This[1] document from the Communications Security Establishment of Canada explains it well. Citing:
PIN-to-PIN transmission security: PIN-to-PIN is not suitable for exchanging
sensitive messages. Although PIN-to-PIN messages are encrypted using
Triple-DES, the key used is a global cryptographic “key” that is common to
every BlackBerry device all over the world. This means any BlackBerry device
can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry
device, if the messages can be intercepted and the destination PIN spoofed.
Further, unfriendly third parties who know the key could potentially use it to
decrypt messages captured over the air. Note that the “BlackBerry Solution
Security Technical Overview” document published by RIM specifically
advises users to “consider PIN messages as scrambled, not encrypted”.
This[1] document from the Communications Security Establishment of Canada explains it well. Citing:
[1]: http://www.cse-cst.gc.ca/its-sti/publications/itsb-bsti/itsb...