The plan where I work is to roll out first IOS and then Android apps to securely run corporate email, calendar, etc (?) Over the VPN. Then kill the BES servers.
Security is a very big deal here. That's why the mobile apps are taking so long to be finished. BES is no longer worth the money, and we all want to use our own phone anyways.
Then use BES10 or BES12. It can create secure containers in iOS and Android that completely separates sensitive company data from the rest of the device - just like BB does. It's perfect for BYOD.
I'm not sure that allowing the devices to VPN into the corporate network is a good idea. I'm not sure how you would control access without some sort of mobile management software like BES12 or other alternatives.