Keith, I don't get this argument. A NAPT is a firewall by your own
definition "I believe the primary purpose of firewalls should be to
protect the network, not the hosts, from abusive or unauthorized
usage."
only if the policy that the user wants is exactly what the NAPT
provides. it's unrealistic to assume that most NAPT users do not want
to run any apps that accept externally-originated traffic, ever. it's
also unrealistic to assume that most threats to the networks are from
outside the network, or that any kind of perimeter security will protect
a network of significant size from attack.