There is one word in the above statement that raises the debate "comprehensive". Security audits used to target the application that might be vulnerable. Having an "application firewall" in the front of the application means that we are testing the gateway and not the application.
Actually, you can go a little bit further than that. It's the fact that it's still made by a human. There will always be flaws, regardless of whether there is a firewall. Instead you now have two things to test: the firewall and the application. You cannot assume that the firewall will stop things from happening. Additionally, if you test only the gateway and not the application an attacker can go past the firewall through a legitimate port or pathway to the application.