It's entirely possible to have a firewall and still get hurt by this. It all depends on how you have that firewall configured
The company I work for has extremely stringent firewall rules, and allows nothing inbound, and the only thing outbound is http, which is proxied via an authenticated proxy. This cuts done to almost nothing the worms we get, and most of those are from vendor laptops that are brought in, and plugged in against corporate policy.
It also helps that we ensure that all* machines are patched after the patches have been tested in our labs, and all* machines have virus scanning software on them, which is updated weekly.
* When I say all, I mean all workstations that the IT department knows about. Periodic scans are run of the network to detect unauthorized machines, and all effort is made to keep that list down to almost 0. There are probably under 50 machines company wide that aren't patched and protected.