Organizations have to look at the capabilities WAFs can provide that traditional web applications do not provide (or, are generally not coded to provide).
For example, WAFs generally have some type of "response" mechanism built-in. In the event of an attack, they can automatically respond to protect the application. This can include brute-force protection, DOS (to a degree), and banning requests from certain IP addresses. You could code your application to do this, but a WAF is at your perimeter. It is best to stop malicious traffic there, then further in your network. Furthermore, a network-based WAF can protect several websites, maybe cutting down on the development time required.
One key benefit is around the detection of attacks/logging. If your WAF is detecting an attack, it can pass that information along to a SIEM solution. The WAF has signatures to detect attacks against a variety of backends, not just the one you built. Your security staff could then use that information to determine a best course of action. Maybe they correlate it with other attacks that are happening, etc.
Another key feature is that the WAF can be used to protect the web server as well as the web application. For example, WAFs can be configured to stop buffer overflow attacks against IIS itself. Your web application cannot do this.
Lastly, WAFs can be used to do "virtual patching". For example, say you find out that your web application has a security hole if sent a particular request. You could, of course, change the code. But this may take time (change management, getting the developer to write something, testing, etc...). While you wait for a patch from the development team, a signature could be created to "protect" the web site from that attack vector.
One thing to add is along the lines of @Lucas Kauffmans answer. Security is all about layers. You cannot know for sure that your web application is "completely" secure. Adding another layer in front of that doesn't hurt.
WAFs have been a hot topic since they were first introduced with many security folks on either side of the "need it / don't need it" debate. I think that it all comes down to the capabilities you require for your given situation.