Firewalls make the assumption that the only way in or out of a corporate network is through the firewalls; that there are no "back doors" to your network. In practice, this is rarely the case, especially for a network which spans a large enterprise. Users may setup their own backdoors, using modems, terminal servers, or use such programs as "PC Anywhere" so that they can work from home. The more inconvenient a firewall is to your user community, the more likely someone will set up their own "back door" channel to their machine, thus bypassing your firewall.
Related to this problem is the observation that in research or academic communities (and sometimes in corporate environments as well!), researchers, professors, or engineers may demand so many exceptions to the firewall policy so that they can communicate with their collaborators at other research sites or universities that you might as well not have the firewall.
Firewalls make the assumption that all of the bad guys are on the outside of the firewall, and everyone on the inside of the can be considered trustworthy. This neglects the large number of corporate computer crimes which are committed by insiders.
Of course, in academic institutions, the assumption that the "bad guys" are always on the outside is often laughable. We have often observed that there's nothing quite so dangerous as a bored MIT student.