If it says "bankofamericaa.com" your alarm bells should start ringing. Even assuming the attacker can't get a certificate for the right country, how is the user expected to notice (and understand) the wrong country code if they can't notice the wrong domain name?
Notice that by this point the claimed benefit of the EV cert has lost all connection to the validation process and is now solely an artifact of the impermissibility of spaces in host names.