If you review your filtering policies regularly, you are doing security.
But a simple firewall, which typically drops packets going to some ports, is no security device. It's just part of shaping the network. It deals with the normal use of the network, it doesn't help with the following:
- Confidentiality: think of all the opportunities to sidestep a firewall... The tunnels, the vulnerabilities in the servers and, of course, the HTTP traffic itself which is the biggest threat to confidentiality.
- Availability: it will not help you against DoS attacks, nor against hardware failures...