Hardware firewalls don't let you do some of the same stuff as software such as block individual programs.
However with my simple CBAC + Access list based hardware firewall solution (Found in most recent cisco routers) I have alot of control. I can block specific things such as Java from being accessed. I can block out entire ranges of ports and invididual ports. I also have packet inspection which can block a whole bunch of things while configured. So these are more secure.
If you know what your doing, it's extremely easy to trick a software firewall to the point where it's almost useless for blocking specific programs.