Most home routers are going to act as a pretty good firewall for 2 reasons:
-they are "dumb." Most home routers don't come bundled with a lot of extra services and options which are the source of many attacks against high end firewalls. If a service just doesn't exist, it is pretty hard to exploit.
-most people using home routers don't ever setup rules to allow traffic back into their environment. They buy the device, plug it in, and that's it. Many problems with firewalls are based on their rule set rather than the device itself. They allow malicious traffic to reach places that it shouldn't by being too broad, including unnecessary ports, the dreaded *.*, and so on. Of course, this situation leads to the most common home firewall attack... default username and password.
Even with those two comments I say most home systems still need a local firewall to catch outbound traffic. As the previous posters have already pointed out, most home users are hit from malicious websites and files (OS and app level hacks) rather than network based attacks. Most home routers won't alert you to suspicious outbound traffic. Local firewalls will at least attempt to warn you that a new app/service is trying to reach out and touch someone.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER