Agreed. There is no substitute for good network security. If your business doesn't have behavior and signature-based network security and an isolated-host wireless network with strong encryption and authentication, you are doing something wrong. Furthermore, if your VPN gateway is open to the world and the password is shared, ANY employee can log in using ANY machine they so choose.
If this person is still able to get into your secured network despite reformatting the laptop, what does it matter which OS is on it?
That said, it sounds like the real issue here is that you're going to be pushing your boundaries from day 1. You might want to cool it, put the POS company laptop into a box, and just use your own personal machine.