The need for per-machine firewall is subjective.
-#1 If you run a hosted PBX explicitly accepting traffic from 0/0 with all (needed) ports exposed to The 'Net, you need one, no doubt 'bout that. But then you’re probably a weathered admin who knows what you are doing.
-#2 If you run an in-house private voip intranet, meaning you have an Internet Gateway with Firewall already, above the PBX, with rules to allow only to/from the trunk providers’ IPs, i’d say, it’s probably debatable whether you need more than fail2ban on the PBX itself, as your Internet Gateway already does firewalling for you. My Fail2Ban runs like that since deployment, have not seen an IP from the wild outside banned yet.
-#3 Do you need one, if you, say, allow your ‘roadrunners’ to the private voip intranet in case #2, through a dedicated tunnel(s) ? That is, you already punched a hole through the Gateway Firewall to let traffic into the TUNnel server… Do you need more firewalls ? Possibly, but not the same kind as case #1.
-#4 variations of the kind ‘i have public ipv6/ipv4 voip-only (and also not-voip-exclusive, hey people have softphones on their PCs) subnet in my house’ network are also possible.
So a guidance into each case would probably be welcome, but I can’t see how any ‘standard’ firewall can cater for all of that at the same time.