I'll answer 2 & 3:
2. Yes, you should see the ePO extension available for download
3. You no longer need to enroll in the developer program to get an MDM cert. See https://kc.mcafee.com/corporate/index?page=content&id=KB73382
Ill answer 1.
In basic mode you are putting all of your data and the components that communicate with your exchange server, SQL server, ad server and potentially pki server on the same server that is directly accessible from the web. If someone hacks your web server they now have access to all of those servers.
In enhanced mode the web server is in the dmz and can only communicate with the hub server (the one that talks to all of your other servers) via ssl. That is because the you set the firewall you put between the dmz and the hub server to only allow ssl traffic. Now if they hack your web server they also have to hack your firewall and then your hub server before they can do any real damage. It is immensely more secure.