What are some of the most common and wrong ways to configure a firewall? I'll start the list with the following:
Blindly blocking ICMP. This was common practice in 1998 when smurf attacks were all the rage. Today you run the risk of creating a PMTU black hole and making it hard to diagnose problems. If you must block ICMP, at least allow fragmentation needed and echo request/replies through.
Stale Rules. It's too bad we can't set an expiration date on rules. When I migrate a service I often forget to remove the rules for the old service.
Opening it up to get it working... then never coming back and locking anything down.
Subsequent to John's example - not using comments against rules if your firewall supports them.
There's nothing worse than seeing a firewall for the first time and seeing all sorts of strange rules that make no sense to the naked eye, and the comments are all blank and there's no documentation.
On the subject of stale rules, as per your example - Proper documentation and procedures WILL eliminate such issues. I suggest that your problem is not at the firewall at all.
Personally I consider splitting inbound and outbound rules into two main groups being an anti-pattern. Having to deal with two huge groups is a nightmare. I prefer to group rules for incoming and outgoing traffic that is related to a certain protocol/application. This way is much easier to manage them.
Move the problem elsewhere.
eg. local PCs firewall is stopping some service or app working, so disable it completely and say "the firewall on the edge router will be ok to protect all the PCs".
Hand-crafting and maintaining them.
Ancient 3rd-party scripts that "work good enough so we won't bother replacing them", require manual editing instead of using config files, and are completely incomprehensible to people who haven't read the thesis describing how they work.