I agree that defense in depth is a good idea, but one key factor to consider is cost. Having a basic firewall makes sense, if for no reason other than “documenting” your public services in one place, but many places are either lulled into a sense of complacency or spend inordinate amounts of time managing tons of rules trying to segregate internal hosts, update for every new network app, etc.

It's that latter group which really needs to hear the truth that they should invest in endpoint security instead unless they have a high security threat and enough resources to do both.

I believe that at this point in time any network traversal should be considered an ultrahazardous activity. As most networks are beyond the control of the users and have little to no change control, it makes little sense to apply risk mitigation controls to them. When you consider the fact that users demand their information be available at all times, it makes much more sense, from a risk mitigation perspective, to focus on the elements you do have a semblance of control over -- the endpoints where the sensitive data is stored and processed and the protocols by which they communicate. There are well known and trusted means of securing data in transit. There is no excuse for relying on policy for mitigation where your policy can have no effect.