I guess it was addressed my way and so I'll try to answer. You are correct when it comes to hardware firewalls for the home market. My point here was to illustrate that given an up to date firewall, it still is a cumbersome process to configure it to make up for security holes in the OS. I have used enterprise firewalls since around 2000 to get around what you bring up here. It costs way more of course, but then you get new updates regularly (even then you have to schedule swapping it for a new within a few years to stay on top of security).
No matter what firewall you have, it will never be any better than it's configuration and some (not all) of the 'holes' even in consumer firewalls could be fixed if people only bothered to configure it properly with one or more explicit 'deny' rules. Sadly, fact is that very few update its firmware at all, let alone configure it, and so it sits there as a gateway dummy device of somewhat limited value security-wise.
To rely solely on a software firewall running on the same machine as the software is not wise either as an infection can create rules to make sure it can communicate or disable the firewall in such a way that you do not notice at first, thus ruining your security entirely.
Another aspect is that people fail to do much configuration here as well and with a default outbound rule of 'allow', even the application firewall is of limited value.
Knowing this, I do recommend common computer users to have both to minimize the impact as much as possible. One or two known holes in an external device gives better odds than the 65535 possible in your computer if routed directly from the net.
I will try to explain what happens:
The default rule for outbound traffic is allow on almost every private client computer out there and that very setting gives any infection free access to the net. Since it originates from your machine, the hardware firewall allows the reply from the net (unless it has a scanning engine which most consumer devices lack) and so most users are indeed trusting their anti-malware solution with their entire security.
Then comes the fact that most users surf the net as a member of the administrators group as they can not be bothered to switch account to do installations or other maintenance, they may even have UAC turned off to avoid that 'annoyance' as well... The latter means that the infection is free to do whatever it wants once it enters the computer.
In other words, they are gambling with security each time they go online.
IT security is a wholeness and should start with regular backups, patching the installation to remove known threats, make sure to have a reasonable personal password policy and limit the rights of the user-account you use when surfing the net.
Then comes a good antivirus-/malware- real-time scanner (with scheduled system scans as well) working in conjunction with the security provided by the application firewall.
After all that and for the average user, the hardware firewall can take care of inbound traffic not originating from your computer.
For each of the above, the need for regular updates and maintenance is crucial to keep IT security on a reasonable level even in the private sphere.
Still, no matter how many times I teach people the above, most simply will not listen and continues their 'happy go lucky' behavior even after being infected several times.
The bottom line is: Nothing gets better than the person doing it and if you go 'now looky here' on the net without any shred of scepticism, you are bound to fail no matter what you have done to secure yourself otherwise. There is absolutely nothing that can protect you against your own stupidity.
Personally, I have a default outbound rule of block in the application firewall as I like to be as safe as possible. Installers and applications are unable to create their own firewall rules and so I have to manually approve each unknown outbound connection. This approach has so far kept me safe, but nothing is absolute. In addition to this, I have 50+ rules applied to the hardware firewall to tighten the security even further, have 7 days self inflicted quarantine on all downloads unless I have time to dissect and finally try to catch up on new threats daily to stay as up to date as humanly possible.
I hope it was clarifying and also answered your question :flower: