Why bother reverse proxying applications if you aren't using mod_security or TMG/UAG?

From the perspective of defense from attack, not filtering in/out data of course does not add anything of value. One could argue that proxying without forethought in fact lowers security in that:

• greater complexity is introduced, often with a vengeance.
• less transparency in that multiple log and alerting layers need correlation per transaction.
• attack surface increases through additional subsystems.
• greater diversification of systems increases the risk of human error.
• every system carries bugs which introduce uncertainties, proxies are no exception.

not to mention the wastes in technological resources (machines, storage, backup/restore etc).

On the other hand, there may be wins which relate to security in other ways:

• Load balancing and failover possibilities.
• Greater flexibility in the separation of access layer from service layer (i.e. easier to do maintenance, restructure etc).
• The future option to easily introduce filtering and whatnot without contention for system resources in the service layer.
• Separating other functions than simple attack signature filtering, such as rewrite logic or certain logging, for instance making for greater ease of configuration and lesser risk during change.
• Certain functions may be better documented or known on the proxy platform, giving greater over all stability and control or a lessening of unknowns through moving them away from the backend.

I'm sure there's more, this just from the top of my head.

There was a time that the default install of Apache simply had fewer known security holes than a default install of IIS; that alone was a security improvement.

Thus, it may have simply become tribal lore because it was once a best practice.