WAF are a bad idea imvho. They can give a false sense of security and the feeling that security is being taken care of. The reality is theta they are generally not very good at catching anything other than the most basic of attacks.
I much prefer
- external security monitoring (there are many vendors)
- automated testing in pre production using skipfish/w3af/whatever
- static code analysis
- penetration testing
- responsible disclosure programmes
- hackdays
I don't see it as an either/or decision TBH. I wouldn't suggest that WAFs are a panacea, but that doesn't mean that they can't be a useful defensive layer.
A lot of companies have difficulties getting app. patches applied quickly due to test cycles, so applying a WAF rule to block known issues (this one for example) can be a fast, low risk way of reducing the risk.
You'd be surprised at how many robot attacks don't have a user agent, or similar things you can trigger on.
I agree, a direct targetted attack against your site they won't help (much). But for stopping a lot of robotic, automated hacking attempts they certainly have their place.
I much prefer
- external security monitoring (there are many vendors) - automated testing in pre production using skipfish/w3af/whatever - static code analysis - penetration testing - responsible disclosure programmes - hackdays