I'm guessing you don't actually believe that, and you are just looking for the counterpoint that would justify your position as a consultant.

There are ways around firewalls, firewalls can be exploited, firewalls can be manipulated, firewalls are not foolproof. A consultants job isn't to just find holes, but to find design and infrastructure weakness. You may have a firewall for protection, but your job as a consultant is to make sure it's configured correctly and that policy is designed correctly among other things. If one layer is exploited, everything behind it suddenly depends on strong policies and designs. OWASP rings bells.