Copying my top level comment here:
If he had turned on FileVault then this wouldn't be possible.
Without FileVault, your data is only protected by file permissions (which means if you can get root/admin access, you can see any of it, which as you discovered, reinstalling the OS (or even booting to the recovery partition) will allow you to do. If they have physical access to the machine, they WILL be able to see your data without FileVault enabled. It's just a matter of them knowing how. The same goes for Windows, and maybe even Linux (though I'm not as knowledgable there)
WITH FileVault, your data is encrypted, and cannot be seen without putting in your account password or recovery password. If you don't remember/know either password, the data is completely useless. So even if he was dumb like he was and didn't format before reinstalling, his user data would have been completely encrypted and inaccessible (assuming he didn't have auto-login on, but why would you do that if you are concerned with security?)
There's no Mac virus in the wild. Malware will ask for your password. OS X scans for known malware. And per default only apps signed with a certificate from Apple will run (you can override by right clicking and choosing 'Open'). But it's relatively easy to get to your data if you have physical access. Enable File Vault (full encryption of your disk) and/or set a firmware password.
If in doubt, scan files you downloaded or files you forward to a Windows machine with ClamXav.
Just for future reference, the firmware in Macs is EFI, not BIOS. And yes, you can set an EFI password, which would then need to be entered to choose alternate boot options upon startup.
That said, an EFI password would not prevent your data from being accessed if the drive were to be removed from the computer. The way to safeguard against this would be to use FileVault to set up disk encryption. Note however that this would prevent your OS X files from being accessible from Windows altogether.
An operating system is just a bunch of files. User data is also just a bunch of files. The two are not exclusively linked on any operating system. If you want to avoid what you discovered on OSX encrypt your HDD with FileVault http://support.apple.com/kb/ht4790 (do not store your key with Apple)
You have the option of storing your FileVault 2 key with Apple, so if you do lose it, you can simply call them, provide the answers to your security questions and they'll read the key off to you. More info here.
I think it's a good thing to have turned on, even for the off chance of your MacBook being stolen.
>I've noticed on startup I have a load bar that wasn;t there before and takes longer to load the OS than it did, I'm being put to the log in screen when I used to just get thrown into the password screen on my profile after having the system go to sleep, which is what we are talking about I think..
Sounds like FileVault is enabled.
If you have a progress bar during boot, your filesystem is corrupt and is being repaired.
You are using FileVault 2, which is fully-encrypted. The preboot screen you see is courtesy of a combination of the EFI firmware and Recovery HD.
FileVault 2 on Mavericks is FIPS 140-2 compliant for classified information up to and including the classification level SECRET. Yosemite will receive certification shortly after launch.
Read more about FileVault 2 here.
Sounds to me like the drive is encrypted. But even if it is, I would imagine you'd only have to unlock it once (within a certain timeframe).
Try these two links and see if this helps at all.
http://support.apple.com/kb/ht4790
http://www.cnet.com/news/what-to-do-when-the-os-x-finder-requires-passwords-for-managing-files/
>I don't have anything that needs that level of security.
I'm of the opinion that you don't really know when something is worthy of being encrypted until it is too late. I do not travel without my drives being encrypted. I have hard far too many horror stories of overzealous law enforcement pulling out your laptop and going through it.
Regardless, here is some more information on the process. Might assuage your fears a bit. I would recommend anyone and everyone encrypt their drive when possible.