Modern firewalls are more than just network rules, they also inspect the traffic itself. For example, you might allow traffic to your web server, but you still don’t want people uploading zip bombs or attempting SQL injections. NAT won’t protect against those.
(I’m sure someone will have better examples; those are just what came to mind.)