The arguments people generally have against that are security of the hypervisor itself, which history has pretty much proven isn't much of a concern. That could always change, but there haven't yet been any really significant recurring hypervisor security issues. Some people just refuse to trust it, for no good reason. It's not about attacking other hosts if someone owns the firewall, in that case it doesn't matter where it's running, and of all the things that are likely to get compromised, the firewall is WAY down the list unless you do something stupid like open its management to the entire Internet with the default password set. Those people have some irrational fear that there's going to be some magic "root ESX" packet sent in from the Internet through one of its bridged interfaces that's somehow going to do something to the hypervisor. That's extraordinarily unlikely, there are millions of more likely ways your network is going to get compromised.

Numerous production datacenters run pfSense in ESX, I've setup probably in excess of 100 myself alone. Our firewalls run in ESX. From all those experiences, the only couple slight drawbacks to virtualizing your firewalls are: 1) if your virtualization infrastructure goes down, you're not going to be able to get to it to troubleshoot if you aren't physically at that location (mostly applicable to colo datacenters). This should be very rare, especially if you have CARP deployed with one firewall per physical host. I do see scenarios on occasion where this happens though, and someone has to physically go to the location to see what's wrong with their hypervisor as their virtual firewall and only path in is down too. 2) More prone to configuration mistakes that could pose security issues. When you have a vswitch of unfiltered Internet traffic, and one or multiple of private network traffic, there are a few possibilities for getting unfiltered Internet traffic dropped into your private networks (potential impact of which would vary from one environment to another). They're very unlikely scenarios, but far more likely than making the same kind of screw up in an environment where the completely untrusted traffic is not connected in any fashion to internal hosts.

Neither of those should keep you from doing it - just be careful to avoid scenario 1 outages especially if this is sitting in a datacenter where you don't have ready physical access if you lose the firewall.