Not familiar with fwbuilder, but they all have more specific meanings in networking, here is how I would define them off the top of my head for general networking:
NAT and PAT:
Changes the IP destination or source and/or the ports in TCP/UDP. The most common uses are so multiple people can share a public IP, or to map public ips to private ips for services.
Policy:
What do with packets that meet certain requirements based on all sort of properties at various network levels. For example, drop them, or send an ICMP message to the requester saying it is closed. Here the primary use is for security to protect your network.
IP Routes:
Decide which interface to send traffic out depending on the destination IP (or possibly more advanced things when you talk about policy based routing). The use here is that this how the internet and most major computer networks work and the higher levels. Generally, NAT happens before routing, so the packet is altered by NAT and then routed according to the result.
General vs. Specific:
Your generalization of "ways to tell the data where to go depending on what it is and where it is coming from" is roughly what "networking" is. To take it to a higher level, to me it is almost like saying "Why are there all these computer words when all they do is move and manipulate data" :-) These terms are all specific aspects of networking which can be a full time vocation.
Hardware firewalls are running software too, the only real difference is that the device is purpose built and dedicated to the task. Software firewalls on servers can be just as secure as hardware firewalls when properly configured (note that hardware firewalls are generally 'easier' to get to that level, and software firewalls are 'easier' to screw up).
If you're running outdated software, there's likely a known vulnerability. While your server might be susceptible to this attack vector, stating that it is unprotected is inflammatory, misleading, or a boldface lie (depends on what exactly they said and how they meant it). You should update the software and patch any known vulnerabilities regardless of the probability of exploitation.
Stating that IPTables is ineffective is misleading at best. Though again, if the one rule is allow everything from all to all then yeah, it wouldn't be doing anything at all.
Side Note: all my personal servers are FreeBSD powered and use only IPFW (built-in software firewall). I have never had a problem with this setup; I also follow the security announcements and have never seen any issues with this firewall software.
At work we have security in layers; the edge firewall filters out all the obvious crap (hardware firewall); internal firewalls filter traffic down for the individual servers or location on the network (mix of mostly software and hardware firewalls).
For complex networks of any kind, security in layers is most appropriate. For simple servers like yours there may be some benefit in having a separate hardware firewall, but fairly little.
Best Answer
A "regular" firewall typically only looks at layers 3 and 4 of the OSI model. For instance, to allow TCP port 80, allow UDP port 53 from only specific IP addresses, or deny TCP port 25.
For HTTP requests, once the "allow TCP port 80" hurdle is cleared, the firewall is uninterested in what's passed via that connection.
A Web Application Firewall works almost exclusively at layer 7, dealing with security in terms of the content of HTTP requests.
Mainly, they're looking to prevent requests that are outside what should be expected for your web application, using rules applied to incoming HTTP requests to prevent attacks like cross-site scripting, SQL injection, directory traversal, or brute-force authentication attempts. Essentially, their whole purpose is shielding the web server from the kinds of manipulated and malicious requests that attackers might use to compromise your web application.