They do mitigate known vulnerabilities.
They may mitigate known proofs of concept of vulnerabilities, and require a small amount of creativity to work around. At the cost of randomly breaking things.
That creativity takes time. WAFs are the first line of defence, buying some time for fixing the actual vulnerabilities.