You have to squint a little and see they mean that most consumer routers don't map inbound unsolicited packets to anything internal unless the user specifically configured it to. Which is basically a firewall.

The article actually remarks on this kind of argument.

While you are technically correct about NAT not being a firewall, it is in practice a widely used front-line defense which even if not “perfect”, it has indisputably proven to be quite effective against a lot of malicious activity.

Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors.

Kind of like physical home security, a lot of it is very easy to bypass, but it’s good enough for the common threats.