How do you explain the necessity of "nuke it from orbit" to management and users?

In my experience management doesn't like to listen to clever analogies. Depending on the person they care about the bottom line in dollars or hours of productivity. I would explain:

The actual bottom line is that a compromise of our data will cost the company approximately X dollars + Y hours to recover. This is Z% likely to happen given the malware that is on this machine. A new install will cost A dollars + B hours to recover. You pick the appropriate action.

It's short and clear and doesn't really leave them any room to argue. They will clearly understand the risk and should make the right decision.

I would avoid the biological or non-business analogies (unless this is a hospital). Your job is to assess risk, cost, and provide options. Your management's job is to make the decision based on your analysis and advice.

Generally, an approach in a tabular format is best. "approach", "likelihood of correcting the problem", "cost" are the minimum needed. You can call the second "Vegas" if you absolutely have to get cute.

For example, in this case, you may have the following.

Approach                       Prognosis     Cost
Run anti-virus on machine      30%           4 hours IT, 4 hours downtime
Replace machine w/new machine  75%           $3,000, 16 hours IT, 4 hours downtime
AV machine, copy user files, 
    replace machine, restore   60%           $3,000, 24 hours IT, 4 hours user, 8 hours
    files                                        downtime

In this list (assuming a user desktop), the real problem is user behavior. You'll want to document why the prognosis is < 100% for the various options, and why anything involving user files is less effective than "nuking from orbit".

Depending on the issue, you may want to add "doing nothing" or "waiting" that will inform your management of the risks to the business at large.

You can drink all the red wine anti-virus you want to try and prevent getting cancer, but once you get that first tumor, more drinking isn't going to help. You need to cut it out and make sure that you get all of it, because if you don't it will come back again.

Once you get infected with a virus, the obvious symptoms are an annoyance, but it is what you cannot see where the true danger lies. Backdoors, rootkits, and botnets can all hide without any indication that there is anything wrong. Sometimes the hidden dangers are combined with obvious dangers so you feel secure once the obvious symptoms are gone, but the obvious is a distraction from the hidden.

Once you know that you have been infected, you do not know how far the infection goes, and not knowing that means you do not know what is at risk. The most basic course of action is to nuke it from orbit. That way you know where you are and you know what your risk is, even if there is a significant cost to starting over from scratch.