Excellent products with poor implementation are still ineffective products. However, this does vary based upon the kind of product and its purpose.
If someone is planning to win a car race, we know to not just buy the best car. We know it takes an awesome driver more than just the car. We also know it takes a team effort for any professional racing. In higher end races it's about a lot of analytics, practices, forensics and enlisting support from sponsors.
It's the same for cyber security. With the dismal breach statistics of well over 90% failure, we're talking about the human component that is the major weakness.
In cyber security, we're fighting a war. A war isn't one with just one type of warfare (ground, air, sea, etc.), a war isn't won with a single weapons system, a war isn't won without practice and training. We are playing a game of cyber defense that requires a multitude of solutions. Some are brute force defenses, some are deception, some are meant to slow down the enemy and others are in the background providing situational awareness. Using just a firewall and not having professionals configure it is a recipe for disaster. Throw down and surrender and get out of the war, this isn't a theater for mere mortals.
Different products require different skill-sets and level of depth and knowledge not to mention understand integrating them all into an effective system. Next generation firewalls when done well and operating at peak 100% capabilities require that a wide variety of counter-measures and defenses be configured. That includes making some tough policy decisions. Web application firewalls can take quite a bit as well. Other solutions like DDoS require less. So, know your tools, know when to ask for help, know when to bring in the A team.
The lesson learned is know when to use professional skills and audits to validate that your arsenal is operating at peak efficiency. Trust me, if you don't, the enemy will and you'll be in the news and we all get to read about it.