So what you're saying is that gov't contractors could sell to north Korea, Iran and other rogue nations [if they can get away with it]?
If there is no law, sanction, or export control governing the sale? Yes. The US government has been involved with this product for more than a decade; if they wanted to restrict its sale, they'd have done so by now.
This is not military-grade or custom software. It is off-the-shelf big-data reporting software used by a number of financial and medical institutions. It's marketed as security software, and the media is interested in ginning up outrage over that point, but in the end it's just a reporting tool; it only helps with understanding data that is already collected by other systems.
The DOD made the choice to use off-the shelf software, rather than develop internally or contract custom work. The DOD is well within its rights to demand the same sort of reviews and reject any products it finds insecure, though buying off-the-shelf software does mean there is less governance over who the same software can be sold to in the same manner.
Source code reviews are very common for major off-the-shelf products sold to governments. Microsoft even has policies for that specific purpose--just about any customer big or valuable enough can review the Windows source code, and we know that many of them (such as China) has.
For allies - that would be another matter. Sorry, but normalizing that kind of thing for the almighty buck is prima facia ridiculous.
Given what this software actually does, I don't agree that it applies in this case, but you are under the misconception that 'normal and believable' and 'stupid and short-sighted' are mutually exclusive when dealing with governments and large companies.