Red teams (internal or consultants) use this sort of tooling in the real world. Their job is to emulate a real, competent threat actor. APTs routinely use high-quality rootkits for EDR evasion.
Persistence is actually quite rare nowadays - since it's the most easily detected, red teams usually prefer not to and stay memory-only.
Many servers and systems are rarely rebooted, and many campaigns are not that long term. There may not be a reason to compromise the target again.
For example, a ransomware gang may compromise a company's network, steal data, deploy the cryptolocker, and then get out. There's no need to have persistent access; they got what they wanted.
I know that very well considering I have servers that have 5 years of uptime, but generally the environment isn't the same as it was with cloud services living less than a few hours (or even seconds for functional endpoints) this becomes a problem.
my first thoughts is that this is actually a vector against people rather than servers which do reboot daily.
Persistence is actually quite rare nowadays - since it's the most easily detected, red teams usually prefer not to and stay memory-only.