I disagree. While not a magic "I've added that, now I'm totally secure" the one I have deployed stops many attacks designed to infect old code. I don't have that old code, but if I did the WAF would stop the attacts against it.
Is it perfect? Of course not. Is it another layer of protection, sure it is.