I agree with you to a point. In my small realm WordPress is the thing behind it, and simple search spam can just bring the app to its knees because of the horrible indexing WP has, even with plugins like Elastic. If you have control of the app it's a whole new ball game and then like others have said, the WAF is there to replace your own poor practices.
Only if the WAF can reject bad requests more cheaply than the thing behind it. IME if your app is implemented decently it will outperform the WAF.