You know, I agree with your sentiment entirely, which is why I feel bad calling this out:
A serious firewall would be a good start.
It's really not. In fact, the firewall is the last thing you should think about.
That's not just because there are so many exploits right now that are for all practical purposes indistinguishable from normal traffic, although that's a good reason, too. It's because the best defenses are always layered defenses, and those start from the inside out.
Far too often I see people begin and end at the firewall. Even if they intended it only be the start, they're thinking rarely progresses much further into the network... why should it? They think about all the stuff the firewall is going to catch, and it seems to take care of so many problems it's hard for them to imagine what else they need to do internally to lock things down. They've succumbed to the "enumerating badness" fallacy, classically described by Marcus Ranum in his must-read Six Dumbest Ideas in Computer Security.
That's exactly backward, though. Where you want to start is at your core data, with the assumption that everything else has already failed, and what can you do to mitigate the disaster of penetration at that last possible level.
Then you work your way out, doing the same thing at each level.
Because almost no one does this, firewalls today are the thin, crunchy shell over the juicy taste explosion of vulnerable systems that crackers crave.