Not completly true.
Passwords - you should change your passwords after compromising. Reformatting your hdd doesn't help here.
Data - if you data was stolen, reformatting doesn't help. If your data was changed or deleted, reformatting doesn't help, too. You need backups of your data.
Programs - yes, that can be tricky. But: when the intruder is advaced enough to retain his/her privileged access to your system with modified/tailored binaries unknown to antiviral system, why he/she used the commonly known backdoor to penetrate it? I believe the vast majority of *detected* trojan/backdoor incidents are caused by casual script kiddies, and the danger of sofisticated system changes in them is small.