Also:
Most security updates - if you take the time to read them - prevent remote code execution.
Firewalls at the perimeter wont protect you from people that bring unclean machines in or malicious users inside your network.
Who in their right mind in a corporate environment only uses a firewall to protect the perimeter?
Every one of your vlans (If you run a layer 2 network or subnet if you run on layer 3) default gateways should ideally be terminated on an interface on the firewall, desktops should be on seperate vlans to servers, services and internetworking devices.
At the very least if you dont have enough interfaces on your firewall, you should have a tight access-list on your switches to prevent any internal meddling.
Access lists on the switches and a properly designed firewall rulebase will prevent this.