There is a tension, but it's between paying enough to developers to actually produce decent code or pay a 3rd-party to firewall the application.
Again, there is no tension.
People will manage to circumvent the firewall if they want to attack your site. But you will still pay, and get both the DoS vulnerabilities created by the firewall and the new attack vectors in the firewall itself.