Is blocking a country's access to a website a good measure to avoid hackers from that country?
Country-based blocking is usually put in place as a result of some organisational policy whose intention is indeed to "block hackers". This sort of things fail on three points:
Such a policy assumes that malicious people can be categorized by nationality. This is old-style, World-War-I type of thinking.
Geographical position is immaterial for computers; a firewall can only see IP addresses. Inferring geography from IP addresses relies on big tables that are never completely up-to-date.
As you observed, working around these blocking systems is trivial for attackers; it suffices to use a relay host outside of the blocked country, and this happens "naturally" when using Tor. Most attackers will use such relays anyway, to cover their tracks.
So the usual net effect of such a blocking is to irritate a few normal users (who might have been customers, but will not now that they are angry), without actually impeding the efforts of competent attackers.
On the bright side, though, "country"-based blocking is sometimes put in place to prevent thousands of mindless drones from spamming the connection logs. For instance, the sysadmin might have noticed a surge of dummy connections from some botnet, most machines of which being located in Venezuela. In that case, blocking Venezuela altogether may help prevent the clogging of log files, while implying only minor impact on business (assuming that the server in question has very few honest Venezuela-based customers). Thus, it is conceivable that a risk/cost analysis has determined that such a large blocking would improve things.
However, in most cases, the "country blocking" is there for the show: a whole-country blocking helps sysadmins demonstrate to managers that they are doing something for security, in a way that managers readily understand. This is the usual predicament of security: when all things work well, security is invisible. It is unfortunately hard to negotiate budgets for activities that don't imply any visible result. Even though the whole point of security is to avoid having visible results, e.g. a defaced Web site or a list of 16 millions of user passwords leaked and hitting the news.
In the case of media distribution, some distributors enforce country-based blocking because they did not have whole-World retransmission rights, and by doing a modicus of blocking effort they fulfil their legal obligations. Arguably, this case is also "for the show".
In my case, our expected customers come from predictable countries, and so to limit the "threat surface", other countries are blocked.
This has limited value as any determined person can do what you did and simply re-route their traffic. The side benefit, though, is that the countries we permit are those with stringent cyber-laws and we can get law enforcement help if an attack happens. So, if an attacker from an non-allowed country routes their traffic through an allowed country, we can get the police involved. It's a small thing, but it does lower the risk without any impact to business and at no cost (except for the time to enter the allowed country into the firewall's whitelist).
When I did this, the bad traffic load on our web servers dropped 90%, which is significant in terms of resource cost-savings, if nothing else.
It's true, if a hacker would like to get access to your page, it will not help, he can simply use a vpn or proxy.
But if you think about all the bots out there which attack every page they find to test exploits and/or passwords, you will be able to block a lot of them. This will also help you against ddos attacks, if you block every country except the one you live in, you are able to block the most of the traffic. OF course, there are more effective methods against ddos attacks but a filter is a reasonable and simple one.