I do disagree with you.

WAFs aren't perfect, no security product is. They do allow you to implement protection against many types of common attacks against your website. This is useful if your site runs applications that you don't have the ability to fix XSS/Injection/etc... issues on (you don't own the code, you don't have resources to do it, etc...). This is actually pretty important as most websites out there run old and/or closed source and/or 3rd party code and/or don't have internal resources to identify and fix every vulnerability 100% of the time. A well tuned WAF provides a decent layer of protection. They also allow you you solve PCI DSS 1.2 Req #6.6 without doing pen testing/vuln testing after every single code change you release.

Perhaps if you had shared some of those reasons you wouldn't have been downvoted.

I think it has a lot to do with making an incredulous statement without providing some evidence, or discussion as to why you think "WAFs are snake oil".

OK, so actually state your reason. You're being downvoted because we can't read your mind.

Reasons like....what, exactly? We're a hosting company and we use them on most servers. They're not perfect, but they prevent probably about 95% of the automated attacks that we see come through. If it's enough protection to make them move on to something easier, it's better than nothing. I agree with you that they're pretty easy to bypass, and shame on companies like Barracuda Networks who sell Supermicro servers with CentOS and mod_security and a proxy set up with a fancy web interface and call that a "web application firewall", but they ARE better than nothing.

They are the same kind of crap as personal firewalls are.