I use a combination of Mikrotik, Grandstream 7000’s, pfsence, Watchguard, and Sonic wall. Sometimes I have no say due to existing IT.
Really, it depends on the customer. I 100% agree with @Sifter that, regardless what firewall, you need to use complex passwords, non-standard ports, fail2ban, and also stay on top of firmware updates. Mikrotik had a number of security issues over the last year but all were promptly fixed via firmware update.
The Grandstream and Mikrotik firewall are akin to an alarm system. Set and forget but nothing is intelligently watching and alerting.
Pfsence, Watchguard, and Sonic wall (I don’t like Sonic wall) at least offer options, some paid license, that more akin to a guard walking around looking for problems.
Pfsence is open-source so you can build your own device. Also, you can buy premade pfsence appliances at a reasonable price.