The letter "c" can also be used to "phish" people who want a domain name that should include the letter "o" and yet we don't say the letter "c" is disallowed :/. The premise of domain names being your source of security is what is broken: we should be helping end users by scoring domains based on some combination of page rank and a web of trust implicitly built out of their existing address books, so when they are sent to bankcfamerica.com it shows up as "likely a wrong URL" without them having to squint at the domain name to notice the "c" (at which point we can probably also replace domain names with a post-scarcity collision-tolerant naming system, which would be absolutely glorious).