If you offer securities involving American companies/assets/real-estate/etc or to offer securities to American residents then you are subject to their jurisdiction.
I see this stated often, but how exactly is this the case, either from a "legal land" standpoint or a logical one? Can someone doing something completely legal in their country magically fall under the jurisdiction of the United States merely because they don't exclude citizens of the United States from their business? How would you even go about that, without collecting and verifying identifying information for every single user of your service?
First I am not advocating such policies nor do I think they are completely logical however the "long arm of the (US) law" is indeed long. If you open your exchange in say Somalia you likely are safe (unless the DOD wants to test out some new reaper drone on a "financial enemy of the state") however if you are in a country which has "normal" relations with the US well your fraked. Your own country will turn you, your assets, your servers, and everything else the DOJ asked for in a split second (and be happy about doing it). Just ask the people who ran poker sites where it was "legal" and offered play to Americans (in violation of US law).
As for:
How would you even go about that, without collecting and verifying identifying information for every single user of your service?
Generally speaking (this applies for any law in any country) when something is deemed illegal it isn't the responsibility of the entity making it illegal to give you an "out". It would be like saying "wait selling Marijuana is illegal how would I go about legally selling marijuana".
However you already expressed the "out" you just don't like it. Collect KYC/AML information from all participants. That combined with IP monitoring, and blacklisting known proxies gives you pretty good deniability. If an American still bought securities on your site it would be pretty easy to prove you didn't have the INTENT to break the law. Generally speaking (once again the real answer is consult legal counsel) is that violation of any law required INTENT. While your activity may be technically unlawful (1 out of 200,000 participants is an American despite your best efforts) it doesn't rise to criminality.
One last point, I was just using US because it is the laws I am most familiar with.
I am 99% sure that every other "first world" country had similar laws and an SEC equivalent used for regulation. So it isn't just a matter of block Americans it becomes block Americans, French, Canadians .... . That being said there likely are ways to get bend the law. If one operated an exchange out of a financial privacy country ("aka offshore"), accepted connections only via tor, and made payments only via Bitcoin (think Silk Road equivalent for securities) while it likely would still be on the SEC radar there wouldn't be much they could do about it.
The way GLBSE went about it was just asinine. It was just anonymous to bring in every scammer, huckster, and conman on the planet while just public enough to ensure that eventually it would bring the attention of an entity like the SEC.