Aside from not needing to remap ports and share a public IP address, a stateful firewall causes the exact same problems as NAT in regards to the end-to-end principle. Two systems which are both behind stateful firewalls can't connect to each other unless one of their administrators consents to open a port for incoming traffic, or they use a technique designed to deal with NAT, like UDP hole-punching (which highlights the limits of both NAT and stateful firewalls for ingress filtering).
If you allow applications to open their own ports (e.g. with uPnP), then you gain no real security advantage compared to simply allowing the traffic through. Blacklisting specific ports due to security issues is a workaround at best, a leaky patch for insecure protocols that can't do their own authentication. Static firewalls have their place providing layered defense for dedicated systems--for example, making sure that your web server can only receive incoming connections on port 80--but general-purpose workstations, and especially mobile devices, need to be self-contained, secure in the face of a direct connection to the Internet with no intervening firewall. The only reasonable place to implement that security is in the server software itself, backed up by OS-level local security primitives.