Based on the principle that no box connected to the internet is secure then the answer clearly is no. But I agree with you completely but will go a step further with regard to the hardware firewall available in that it also mitigates against those users who don't know what a patch is let alone where to get one and install it. OS patches prevent the exploitation of local services that are vulnerable. With a firewall the exploit cannot reach, (unless the exploit is a result of the user's actions such as visiting a malicious web site), the service in the first place so, to all intents and purposes the service is immune to exploit.

There's nothing you can to about "user-invoked" malware except educate the user - and we all know that will never happen.... , but the basic kiddie tools, worms etc. are all mitigated on an unpatched machine that has even the most basic firewall in front of it. It's the thing I stress the most to all my users for their home computer because I get the biggest "bang for the buck" in terms of minimal time spent telling them about it coupled with the maximum security provided..... (yeah, i could go on for weeks aboutpatching, AV, updating it etc. and Spybot/Ad-aware/the cleaner and all that stuff but they won't do it regularly and they will remain vulnerable to the most basic worms and kiddie tools).