While protecting your sensitive data from leaving with Firewalls and Network DLP (a plus that Network DLP integrates into both the Firewall and Gateways a plus), the best solution is to protected your data where it lives in my opinion. All the network DLP doesn't do you any good if they can A) burn it to DVD or transfer to a thumb drive or B) just send it out encrypted.
This is why DLPe (endpoint) is where I would start and if Intel Security would improve their Endpoint Encryption integration, even better.
To respond to your statements, it comes down to where sensitive data is stored on your network and within your organization. Where it lives yes, but currently there are not viable (to my knowledge, correct me please if I'm wrong) agents for non-windows systems. For example, many systems, developers, servers, run in non-windows systems or through various data-bases, storage types, etc. Additionally some organizations are not able to put in a NAC to prevent non-sanctioned pc's without appropriate security controls to be installed from accessing the network.
While yes, in a perfect world, we'd have detection in every place the data is.... that would be so awesome.
Also, network DLP can easily cover the encryption portion. You just install certificates and run ICAP to an HTTP/S prevent system (like McAfee NDLP or Vontu or Websense) and deny/drop/alert on traffic matching the policy. Your firewall then blocks any encrypted traffic to unsanctioned network locations which are not meeting the decryption requirements/etc.
There is always a way to try and bypass, but thats true with any security solution. Look further and you'll see there is a way to address every method you mentioned for bypassing, so it can be at the very least alerted/tracked, if not blocked. The biggest obstacle is time and money. Businesses love setting those aside