Imagine an enemy that is aiming for your inner sanctum. Now imagine a team of sharpshooters with eyes on your perimeter taking out the bad guys one by one. This is how a software solution (firewall) works.
Now imagine the same scenario with a 100 foot wall and ceiling of reinforced missile resistant concrete. This is the physical protection of a separate network/hardware solution.
Software is fallible, ie, imperfect and unable despite our best efforts to cover every possibility out here in the real/analog world. Properly designed hardware, while not 100% perfect, supersedes any and all software solutions in nearly every situation.
As explained to me by a top level cyber security person.