I have one generic password I use on random sites, other sites I use modified versions of the names of the sites if I definately know that admin is going to look at it (e.g. hacker wanna be sites)
I then have additional passwords I use on other things which are completely unique.
I'm guessing your friend doesnt claim to be big on security, or have any need to be big on security, so why would he need different passwords? Does he do online banking? If he does then this is something stupid using the same password, not just using the same password on facebook.