Could be a consumer BIS account set up on his device that receives spam, or could be SMS spam. Or something else entirely... but you are correct if the hardware unit gets the spam (i.e. most not all of course) then it will never be seen by Exchange or the BB.
BESX 4.1.7 on Exchange 2003: 65 Devices
BESX 5.0.3 on Exchange 2003: 2007 Devices