Such feelings are echoed in the IT world often these days, that basically firewalls are not that smart. At least, they are not often that smart. Here is one example. Basically, you could try to ban FTP by blocking port 21 on your firewall. But if you have port 22 open for ssh access, then its possible and indeed very easy for the FTP service on a target server to be altered to operate on port 22 instead of port 21. The firewall will then allow FTP access on port 22 to this host, because it does not check the actual content (or protocol) involved, it only blocks ports. Thusly, one might exploit the fact that port 80 is often left open for HTTP, and use that port to transport a different (and potentially unwanted) type of traffic. Obviously, many firewall admins have taken steps to deal with this, but this kind of problem is abundant.
Baumhardt recommends Microsoft's Internet Security and Acceleration (ISA) Server 2004 as a solution to the problem of a weak firewall. This software, claims Baumhardt, has the ability to run 1.9-gigabit throughput and to scan port traffic at the application layer, which could lead to better transparency.