The biggest holes in your firewall, generally, are the ones you put there. There are tons of programs that have some form of virus hidden that connects to a server of some sort, be it IRC, a given IP, etc. and sits idle until it's told to do something. Often this is used to "hide" an IP when someone is doing something illegal, and can often route through several machines, or your computer may be used in a DoS attack.
These attacks are prevented if your firewall is not one-way, meaning it allows any outbound connection, but not an incoming. The failure in this situation arises from the fact that this trojan initiated the connection.
Any other opening in a firewall is generally either put there manually or is the result of bad code. But no matter what, never fool yourself into thinking you're secure, unless your computer is completely cut off from a network. And it's as simple as that. The same, obviously, goes for virii as well.