Admittedly, the best rootkits probably target the network equipment as well as the host.
At the host level, most organizations wouldn't be able to detect an unmasked trojan running as its own separate user process unless its signature was already known or its behavior caught by a blacklist-based IDS.
Also rootkits are way overrated. What you do when you compromise an organization is you open a connection to your C&C on a few machines to keep your foothold if any reboot. If you need to get in you just connect to one of those boxes and just continue on. You never have to drop anything on the hard disk which makes it much stealthier.