A software firewall should be sufficient at first. It makes sense putting off any additional spending until the app is validated and you start to scale
So that means that the OS firewall is safe enough that I shouldn't worry about it being compromised? I suppose the HW firewall could also be compromised, but it does give a bit of extra piece of mind.
In isolation yes - it is unlikely the vector of attack would (ever) be the firewall itself. In fact I think system level attacks are less likely than application level attacks (SQL injection, XSS..etc)
I think you really get some performance features (like SSL offloading...etc)