Your vulnerability arises when your firewall doesn't do it's job, or if you don't do your job. You may allows services on the unpatched box through the firewall, and in that case your unpatched services are just as vulnerable as if there was no firewall. AV isn't really layer of security. If there comes a time when you depend on it, then your security has already been comprimised and AV becomes a part of the response. It's similar to encryption. If your encryption/AV is being attacked, it's means something failed.

Your firewall is always open to attack. Once it's been comprimised, the network/host it protects is vulnerable.