NATting firewalls don't help at all with email-delivered malware,
browser exploits, etc.
If the firewall is configured to block all outgoing traffic to port 25
servers, then it helps considerably. After all outgoing email should be
going to port 587. And if the system designer is creative enough, then
this firewall thingy which is reputed to protect you from bad stuff,
would also download and install the latest patches to protect against
browser exploits. If this is all run on a separate CPU it can also do
some pretty in-depth inspection and do things like block .exe
attachements in email.
None of this is rocket science. The hardware available today can do
this. This hardware is not expensive. It does, however, require systems
vendors to have a bit of imagination and that seems to be in rather
short supply in the modern world.