Well not entirely because you always want defense in depth. Let’s say you are running 20 apps and 10 of them have security vulnerabilities like RCE.

Testing and deploying patches takes time probably you cannot just update 10 apps at once with single click.

Deploying WAF rule should cover that.