WAFs can be a useful site of intervention during incidents or when high-severity vulns are first made public. It's not a replacement for fixing the vuln, that still has to happen, but it gives you a place to mitigate it that may be faster or simpler than deploying code changes.

> If you knew the vulnerabilities you'd protect against them in your application.

Correction: it is not your application but someone else's Certified Stuff (TM) that you can't change, but which is still vulnerable.

If your clients will let you pass the buck on security like this it would be very tempting to work towards the least onerous insurance metric and no further.