How secure is Mac OS X's security?
Solution 1:
It depends on exactly what you mean by:
it was protected with a password
If it means that they were using FileVault, then their data should be pretty much inaccessible.
If it just meant that they had a login password, though, all the thieves have to do is boot the laptop off another disk, and they'll have immediate access to everything on the internal drive.
Solution 2:
If FileVault is not enabled, there are two easy ways to reset the login password in single user mode without even having access to another computer or installation media.
It doesn't reset the password of the login keychain, but the thief could still access most files normally. They couldn't use auto-fill in Safari or log in to accounts in Mail. But if you had set a webmail site to log in automatically and hadn't disabled the option to reset a password with an Apple ID, the thief could reset the Apple ID (it doesn't currently require answering security questions) and use it to reset the keychain password.
The hash of the login password (which is usually also the password of the login keychain) is stored in /var/db/dslocal/nodes/Default/users/username.plist
in 10.7 and 10.8. In 10.7 it was easy to crack even relatively complex passwords by using DaveGrohl, but 10.8 switched to PBKDF2, which limits it to about 10 guesses per second per core.
Solution 3:
The current version of FileVault is secure against currently well-known attacks, if best practices are followed.
Some older versions of FileVault had serious issues. See http://en.wikipedia.org/wiki/FileVault#Issues and https://discussions.apple.com/message/18835839#18835839 ; both have more detail. With older versions of and incautiously configured installations of MacOS, it's definitely easy to decrypt the contents of a FileVault-protected drive. Fortunately, those known issues in older versions of FileVault have been fixed.
Google for examples of some "best practices", such as the NSA's configuration guide for Mac OS X.
What was protected by a password is a key question... Do all accounts require a login password? Is there a boot-time password as well? Was Filevault (or other encryption software) used at all? Were good password practices followed? A chain is only as strong as its weakest link.