Advantages of a Firewall Over a Layer-3 Switch

Firewalls are usually stateful. Usually, you want a firewall to block everything but established communication, and this can be difficult to impossible with ACLs, depending on the router or switch vendor and software version. Some devices (router or switch) support reflexive ACLs that can be stateful, but they are more limited, and it becomes a large burden to to maintain.

Next-generation firewalls can also look beyond the network traffic into the application data in order to block/allow applications.

Edit:

If you set up a traditional ACL to block all incoming traffic (firewall default behavior), then a host requesting data from outside could never get the data because the ACL will block all incoming traffic.

A reflexive ACL could see the outbound connection, and it can be configured to reflect (allow traffic back on that connection). This behavior maintains a connection state. This is basically what a firewall does; it maintains the state of a connection, up to a timeout period of inactivity. It will again block when the connection is closed.

A next-generation firewall goes even further. It will be able to do deep packet inspection to deterministically or heuristically determine what type of data is passing through, or which application is communicating. That adds flexibility to block or allow in a more finely-grained fashion. For example, the firewall could actually detect and block malware in a data stream, it could block a torrent, or you could allow only traffic to and from a single application on a particular host. This type of firewall needs to have a maintenance contract that allows the software to be updated to stay current.