Your argument is bogus - see above... again, a basic, properly configured firewall has negligible impact on pretty much any systems resources, even ancient ones...
So, yeah, enabling a firewall on a mail server is essentially free, whether talking impact on system resources, or dollar cost.
Why would I threaten the much-loved near-instantaneous response of my mail servers by spending resources there that are better spent on my border routers, whose CPUs sit at 90% idle time unless they're doing a BGP update?
Because even a firewall with a huge list of hosts to block will be faster then handling a ton of bogus logins from bots and script kiddies.
Because a border router can't tell if a connection coming from an IP is bad or not without deep packet inspection, and of course you have the results on the mail server itself. Also blocking all of these bogus requests at the iptables level will stop them from using any further resources.
You're right, it's not 'free', but the costs of doing it are cheaper then having to handle a tons of bogus authentication, and the consequences less dire if they actually manage to find a working login name and password.
If they do find a working login name and password they are going to start hitting the SMTP server with it and then if they do get it to be in relay mode (either through SMTP AUTH or POP-before-SMTP) then you'll end up spewing spam and that will cost you a lot more resources then the firewall ever will.