Reason I ask, if you are set up as we are, the activation info is lodged on the BES server and the user does not have to enter anything on the handheld to begin activation.
If a user buys a new unit (doesn't really matter the provider unless your BES restricts it somehow), that user can connect the unit via cable and tell Desktop Manager to swap PIN numbers. At that point, he can simply await the activation cycle and you would not be the wiser unless you happened to notice the different PIN associated with his account during an audit.
Even swapping SIMs would be optional (unless he was using a policy he did not want to lose, I'm not sure if the policy would transfer to the new PIN).
In this scenario, you may consider it a security concern, but if this is a valid user, I'd think it more as a company policy breach.