Graham,
I don't understand why you feel the need to make such 'bold' statements especially within a space that is so unclear. There are solutions that beat the firewall module 'hands down' and beat your proposed solution 'hands down'. Unplug the internet, there you go.
Blacklists can clearly be a positive component of a permiter defense. The downside of blacklists is that they only block against what is 'known' and not what is emerging. In additon the attack modes and sophistication is ever evolving.
You will also find that the attack sources vary somewhat based on the geographic location of the PBX. The initial goal of the firewall, in addition to 'standard' firewall abilities like blocking everything that we know we don't want on the system, was to address some of these areas. This is accomplished by adding some local 'static' and local 'dynamic' intelligence. The static part is to use the FreePBX configuration itself to determine what needs to be whitelisted such as the IP address of configured SIP providers. If none configured, none are whitelisted. If their address changes, the firewall changes, ...
The dynamic approach is to provide a permiter defense that will SIGNIFICNALY reduce the chance of a brute force attack in such a way as to block its ability to successfully attack you outside of the off chance that it hits a bullseye on your system on the first few tries. High quality passwords are always recommended, but if you use almost any password that isn't the extension number, it's almost certain that a brute force attack will be successful before it is locked out by both the firewall rules, as well as the fail2ban which is available as a second permiter of defense.
That doesn't mean that your proposed blacklist is wrong, and you should be able to use your blacklist in conjucntion with the firewall if it's using its own chains (I haven't looked, so I can't confirm, but conceptually it shouldn't be a problem). And more defenses willl usually add more security unless they happen to do something that undermines other solutions (like short circuit the security abilities of another system).
But the crux of all of this, and why I continue to take exception to statements such as 'beats the new firewall hands down' is that the space is evolvling and solutions need to evlove with the threats that are occuring. Blacklists are one component (and not something we've discounted at all). Most importantly, and one of the reasons we put out the firewall, is provide a solution that is easy to use, intuitive so customers use it and don't turn it off because of probelms they're having and an inability to understand what they implemented, and most importnaly that will evolve along with updates that can be automatically installed on a users system through the mechanisms that are keeping the rest of their systems up to date.