About the first thing, yes, you're right, the recovery partition will simply delete everything on the HD regardless of password and replace with the factory defaults.
But I don't think it's a security hole or menace or anything. It's pretty much expected. After all, user accounts/passwords are just for the OS's own use validation and authentication (and that goes for ANY system, not just Windows). When you boot it, it uses those accounts for access check, but if you never load the system, the check is bypassed. The recovery partition of every laptop is nothing more than an image of the factory default that gets restored, irrespective of the current state of the HD/OS. The very same happens when you reformat the computer or boot a portable OS or put the disk in another box, the original OS password is never checked, because the original OS is never booted.
This isn't a security flaw, it's expected and normal, as the system cannot control anything if it doesn't even starts. It's like going though the front door with all access checks or sneaking though the back door
Because if that, anyone with physical
access to the computer or the hard disks, is pretty much free to do whatever he wants with all the data, provided he knows how to use it from another foreign system, as it was possibly your case. Encryption is a good way to prevent that. It will not prevent the data from being stolen, but will prevent anyone who doesn't knows the password from viewing it.