(no title)

As a host firewall, it's obviously fine, I assume your question is about using pf as a network firewall. Given the threat landscape, you usually want threat protection. At the very least that means close-to-real-time updates from reputation lists. You can script that with pf, but it's not fun. Really, you want protocol dissection and - quite possibly - the ability to decrypt on the box and do payload analysis. Just doing packet filtering doesn't buy you all that much anymore these days, and anything production that requires compliance or that you genuinely care about should be behind what you might also call IPS or layer 7 firewall capabilities.

pf doesn't do any of that. You don't have to use Palo Alto or Cisco for this, either.

If all you need is packet filtering, it's a good option, though.