Firewalls at the ISP end of the link are normally more effective as they save your link bandwidth.
If its your business, use multiple links for different types of traffic or have bandwidth management running at both ends of the link. Internally generated traffic (that includes DNS, email, outbound http etc) shouldn't be able to interfere with income-generating inbound http. A decent ISP should be willing to filter port 53 (stateless router ACLs are fine) at their end.
Security - its about risk management.
There's an opportunity for ISP's here. For traffic to/from the internet, most organisations have relatively static requirements. I suspect the reason this hasn't taken off is outrageous pricing attached to such options. Virtual machines running OSS firewalls under customer control are probably all most organisations actually need.