| I imagine that two hardware firewalls in tandem would also pose a problem as well|
It doesn't pose a problem so much as it means (potentially) having to configure things twice.
My internet connects to a SOHO router. That in turn connects to my UNIX firewall running pf. That in turn connects to my switch and the rest of my LAN. If I need to do a port forward, then I have to configure it on both firewalls. Excluding of course my ssh port forward which was only configured on the SOHO router and points to my BSD box.
But other than port forwards, I don't make many changes on the SOHO router. I do all my other filtering just on the BSD box instead. Even if someone were able to hack my SOHO router, the only place they could go would be my BSD firewall.
It's a little bulky, but it is added security and pf gives me much more granular control than a SOHO router does. I don't much bother with the software firewalls on my LAN PC's at all.
It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.