OK, so our company's software IS what you define as COTS. It's in production use by a number of commercial entities such as BP, Deuchebank, General Motors, Wells Fargo, etc. By your definition we shouldn't have any trouble with the feds about offshore development.
That being said, the vast majority of accounts require some customization to fit the customers' needs (similar to the way most databases require customization for customers' use: creating tables, developing procedure code, etc.) This is all done within the product's development environment (none of the core source code is touched) and all customization work is done by cleared personel.