A step to making this secure is to generate private keys on the end-clients, verify the code to generate them does not also create an escrow key, and be vigilant from then on to only allow access to that private key with audited code.
But there's a usability problem with this: people suck at not losing things.
Lost your private key and need to check your email? You're out of luck. This is the sign of a good, secure system, but the average office person will at some point lose their key and be very pissed off that their account is impossibly unrecoverable.
So to appease the "careless," they backup/generate keys on a server. This has the unfortunate (or fortunate for them?) side effect of allowing undetectable key escrow. So they might be doing this to solve a legitimate usability problem, it just enables these other, probably bigger, problems.