Or build a IDS (snort or something) box and span it with the external port of your firewall. Making a single point of failure, putting all your eggs in one basket, and expecting your firewall to be a Swiss Army Knife network appliance is dangerous if not simply foolish.
I don't see how including IDS functionality within your firewall has anything to do with it being a single point of failure. If you have a single firewall at your perimeter, it IS a single point of failure. Lack of added services does not change that fact.