That risk level is not at all on par with this though. That won't help with filevault turned on, and it requires both a reboot and a physical presence at the machine. This can be done remotely with shell access, and discloses hashes from other accounts.

In other words, it can be done remotely through a browser exploit.

This also won't help with filevault turned on.

Enabling Open Firmware password protection disables the ability to boot a Mac into single use mode; it also disables booting from an external hard drive, flash drive, etc.: http://support.apple.com/kb/HT1352

Unless the Mac has a firmware password. You could just remove that by resetting the PRAM, unless you wanted to go undetected. In that case, you could remove the hard drive, mount it elsewhere, and change the password hash. Is FileVault plus a firmware password the only safe way to keep your Mac?

FileVault by itself is sufficient, at least with Lion. Even if you're able to boot the machine or mount the HD, you'll need the user's original password to decrypt the data. The Password Reset app is useless until you first unlock the encrypted drive.

(I'm pretty sure that pre-Lion's FileVault is in the same case, where you'll still need the user's old password to decrypt their home directory's encrypted dmg, but I'm not 100% certain.)