Normal people have no idea what https://paypal.com/ is. For them https://paypal.co/ looks perfectly fine (PayPal might have bought all second level domains but I highly doubt that). Normal people have no idea what "com" means, what domains levels are, what's the meaning of dot in the domain name. What's the meaning of HTTP or HTTPS whereas the former is now hidden by all major web browsers. I'm an IT pro and I've no idea why there are these three letters "://" after the protocol name. Why not "::" or "->" or any other arbitrary combination?
Normal people may want to visit paypal for the first time ever which means no AutoFill data or any indication they've arrived at the website they can really trust.
Idiots who say you should trust a website based on its name think too much of people. The Internet was designed for geeks and remains so, no matter what geeks say. And it wasn't designed with security/privacy/encryption/simplicity in mind - to the contrary, the first major protocols had nothing to do with encryption or remote party identification.
Here's an example from real life: my ISP transparently replaces IP records for DNS queries for forbidden websites (it's a usual practice even in the USA) - how on Earth you could trust a domain name, when your ISP can reroute your traffic at will? And no! I'm not using my ISP's DNS resolver - I have a recursive DNS server on my PC - which means they transparently replace my UDP traffic. The only way to be sure that my connection attempt is not spoofed is what? VPN? No, you cannot trust it either. DNSSEC hasn't really taken off and then you cannot really trust CAs nowadays.
Sorry, I've never seen so many idiots at /. simultaneously.