I mean ... You're not completely wrong, but you're not completely right either. For context: I've been working full-time in security for 15 years and on the fringes (reversing) for many more.

WAFs in and of themselves provide virtually zero security. They can block naive attacks -- catching the most obvious payloads -- and act as an early-warning signal that an attack may be underway (though the SNR on this is awful). But frankly, this is far less important in practice than the fact that it just makes things more difficult and annoying for attackers. Enough so that it can make a semi-attractive target into a no-go.

This is like defense-in-depth, but instead of layering protections in place so that the holes in the swiss cheese don't like up, you're making the cheese smell awful enough to ignore the juicy apple behind it.

If you're a valuable enough target, they're gonna go for the apple regardless of how bad the cheese is. ... And this analogy may have gotten away from me.