You are correct. Actual security needs to be inherently part of the application; you can't get it just by slapping something in front of it. And the way most WAFs work is basically just a fancier version of what https://thedailywtf.com/articles/Injection_Rejection does, which is horrifically bad on sites where people try to discuss HTML or SQL.