Because they can make money by selling you something like a Maintenance contract - it's not just Firewall Vendors, look around.
The WG firewalls work for years, but you may not get firmware updates in the case of a exploit or new features to combat some new threat - they require a yearly subscription fee.... Most of the vendors do, at least the ones that seem to have the best track record.
Licensing varies: some of them really do shut down if you don't get the renewal code.
For -most- of them, you buy a device with a particular software release, and if you are happy with that release you don't -have- to upgrade.
But -- you have to know what the vendor's policy is when security problems are found, and when bugs are found.
Bugs in firewalls are common, just like bugs in an other complex code. A lot of the bugs are rather obscure, perhaps dealing with the interaction of a 10-year old feature with a new one, or perhaps dealing with new features that don't -always- work. Outright security fixes are not particularily common, but there might be a small number a year for any given release.
Some vendors have a "free software upgrades for life" policy.
Some vendors have a "free software when a security fix goes out" policy, possibly restricting the entitlement to "the same release train". When the release train eventually stops being supported, what happens afterwards is not always well defined.
Some vendors have a "No updates without a contract" policy.
It's a mix, just like in other software businesses. The most
-common- practice is that the annual fee is for updates and support calls, and possibly for hardware maint if applicable (and covered by the contract variety.)
Microsoft announced plans years ago to head towards a "software leasing" scheme, in which you paid a yearly fee for use of the software and updates, but that the access would expire. There was a fair bit of press at the time that said more or less, "Ah, yes, that is the way of the future"; fortunately Microsoft's releases along those lines are late.
That's not quite correct, at least not for all firewalls and specifically those that include IDS. Those firewalls have predefined rules that deal with exploits. As new exploits are identified, the rules are updated.
Some software-based systems will. I know that CyBlock filtering software will quit filtering, if the annual license is not paid. CyBlock will still function as a proxy, but the filtering part of it will cease to function if there is no current valid license key entered.