"If you have a fully patched machine without viruses or trojans etc, and you have a Norton / McAfee / TrendMicro etc. type firewall with all the ports except internet and email locked down, are you still vulnerable to be taken over completely from the Internet?"
A firewall inspects all the packets of data arriving from or going to a network interface, and then decides what to do with each on according to a list of rules. A firewall can reject a packet, ignore it, forward it, redirect it, log it or some combination of the above.
Send whatever you like at my telnet port, and you will not achieve anything useful - even if the firewall leaves the port open - as I have nothing listening on the telnet port. Setting the firewall to blocking outgoing packets with a destination of port 80 can make a machine more secure at the expense of making it difficult to access the internet.
The competition is based on cracking computers that have (more than) enough software working to make them useful, so the firewall rules have to be quite lax.
"What about if you also have a modern router with an ADDITIONAL firewall?"
A second firewall is only going to do the same thing as the first firewall, and is only of value if you think the first firewall is defective.
Once some data is past the firewall, it is up to some application to treat all the data from the network as suspicious. Some applications do a worse job than others. Any bug in an application that causes network data to be trusted without rigorous checking is is a weakness that can be exploited. A badly designed application will give the exploiter root/admin access at once. A better design gives the cracker only the authority that the application needs, so she need a local elevation of privilege exploit to get root/admin rights.
As far as I know, Norton / McAfee / TrendMicro antivirus software is more than just a firewall. They also examine files and processes for clues that they are not a virus/trojan/worm/root kit. This adds an extra hoop to jump, but as I have not used windows for over a decade, I have not bothered to find out if it is a significant barrier.
"Surely that must be safe?"
Safe from what?
If you get access to my desktop machine, you can change what TV programs I record. I have not made a huge effort to secure it is not worth anyone's time to crack it. It is acceptably safe for me.
If you crack my laptop, add a key logger without me catching on, get my gpg password and my encrypted password file, you could play with my bank accounts. Find a gullible mule to launder the money for you, and you get a few thousand. I have added enough personalised security to make this not worth your time. Again, it is acceptably safe for me.
An individual installation of XP/Vista/Linux/OSX/BSD may not guard much value, but when a single image is installed on thousands of machines, the budget available to crackers will be far in excess of what any individual is prepared to spend on defending the machine. I would not use a large mass produced software image to defend anything that I could not easily replace. Other people have different opinions on what is safe. If I had ten years of experience securing XP, I might have different opinions too.