A WAF is obviously not a control designed to be a full-scale replacement for good input validation and development best practices. So yes, its inherent that there are fundamental weaknesses to WAFs.
However, there are still benefits. You deploy a WAF as part of a defense in depth strategy, with one of the best use-cases being situations where you have legacy web systems that nobody is maintaining. Additionally, you can get TLS upscaling, easy HTTP rewrite capabilities, DDoS protection, and other granular controls with some SaaS offerings. So while it's true that a WAF won't stop a determined attacker, there are certainly benefits to operating them, particularly in large enterprise environments.
This is true when you think about it from a security perspective, but it's definitely not always the case. Many people _do_ rely on a WAF to outsource their security. It's often political, from my experience, that security is either punted or not prioritized in the promo process for most SWEs.
It's the unfortunate reality for many companies to just not actually care about security. If you only promote people based on them shipping features but not fixing security issues, then you slowly remove all incentives to care at an individual level. It's just game theory because there are few penalties for not caring about security.
Fortunately, the winds of change are blowing now with new regulations. Society is beginning to force companies to care. We're still far from living in a reality where most companies have a strong security posture with their tech though. It's going to take time and energy for frameworks and development methodologies to catch up (and legacy software to die off or be updated).
Agreed, it's almost always political. Product has a schedule, developers find it convenient to say "Well, we have a firewall", and now suddenly they can hit the deadline! That they got there by deciding to not validate their inputs isn't important. They can handwave it away as "We make certain assumptions about the traffic coming in over the network" and Product learns a neat trick to ship faster.
I've seen this exact dynamic play out several times. Lots of vulnerabilities were created, and infosec pointing to this only attracted the ire of Product. And angered several Director-grade people in engineering who were spreading the idea that a firewall is a replacement for input validation.
However, there are still benefits. You deploy a WAF as part of a defense in depth strategy, with one of the best use-cases being situations where you have legacy web systems that nobody is maintaining. Additionally, you can get TLS upscaling, easy HTTP rewrite capabilities, DDoS protection, and other granular controls with some SaaS offerings. So while it's true that a WAF won't stop a determined attacker, there are certainly benefits to operating them, particularly in large enterprise environments.
edit: spelling