You can keep people from portscanning your machines and only alow mail, ftp, ssh, and web. This keeps the machines from having to respond to portscans, and let's the firewall just drop them. Without a firewall, it is a lot easier to DoS a machine by filling up it's connection table.
Having a firewall separate from your servers prevents anyone from running their own server applications without authorization by the host. A common example is that anyone can start an IRC daemon, but if port 6667 is blocked then it will do them no good.
Most smaller hosts don't pay for expensive firewalls like PIX, Netscreen, or Checkpoint, and are perfectly content letting the servers do the work via ipfw or ipchains/tables.
Originally posted by dannyboy
As for VPNs, they don't seem important in a hosting environment,
Not true, VPNS are very important in the enterprise hosting environment. Larger hosting companies often have clients run VPNs to their servers. The VPNs are used to update content, synchronize databases, and provide secure access to remotely hosted corporate intranets.
VPNS are also important if someone is using a hosting data center as a disaster recovery location.