Wensleydale
Very true. After many years of sensible people avoiding COTS like the plague, for these very reasons, the Defence Scientific Advisory Council (not just scientists, but including users at, typically, SO1 level, and reporting direct to SofS) issued a report in 2000 completely trashing the notion as too risky. (MoD refuses to release it, which is why you keep your own copy!) There are exceptions in various domains, but usually not in airborne equipment.
You mention configuration management. Nailed it. The RAF Chief Engineer withdrew ALL funding for CM in 1992/3 and, while partly resurrected, the gaps were never plugged. And subsequent generations of staff were taught it was a waste. Without it, the Safety Case can NEVER be validated. This is the remedial work the MAA should have been concentrating on instead of re-writing the regs. But doing so would reveal the underlying reason for their very existence, which they do not want to acknowledge.